In a recent post, I reported that network address translation (NAT) is becoming a tougher sell for internal test and development systems. In lieu of NAT, firewalls are clearly becoming the solution to use for segregated networks for various systems that represent different security zones, compliance zones or software lifecycle zones. In this blog post, I want to highlight a few pros and cons about using firewalls for software testing in terms of practical, real-world issues that managers and administrators will deal with on a day-to-day basis.
On the positive side, firewalls can increase the security factor between different software lifecycle zones. In most situations, firewalls will permit explicit traffic only between hosts behind a firewall and the rest of the network. The biggest protection here is that a test or development system would not hit a live database or related system by an inadvertent configuration. An example would be where a test application server is loaded a large amount of simulation data, but actually processes the data on the live database server due to an accidentally configured application server. This scenario has played out many times in real life, but with a firewall rule in place the mis-configured application would exchange a load of bad data to the live database engine with a database connection failed message.
Another good reason to use firewalls is that they can address various compliance requirements by separating compliance zones more clearly. Simply separating between production-class and others, in scope of compliance network and test and development networks, offers little protection without any enforcement of traffic patterns. The firewalled network can address this by explicit permissions of traffic flow.
On the negative side, firewalls can be a hassle to application owners and systems administrators. This hassle is due to the fact that in most environments, these individuals do not administer the firewall rules and it is usually painstakingly difficult to identify the network requirements to a port and host level for a number of systems that could be behind this network. Further, there also can be additional costs associated with implementing firewalls between production and test networks.
All hard work aside, the protection benefits should outweigh the hard work. This effort will pay off in other areas as well, including compliance audits, outbreak protection and organizational changes that take place when large segments of an infrastructure need to be moved to another location or platform.
How are firewalls or NAT gateways playing out in your test and development environments? Share your comments below.