Firewall Rulebase Cleanup - A manual approach
The KISS (keep it short and simple) concept rarely works for firewalls due to multi-admin-managed environments and the increase of network-dependent applications. Eventually, the firewall rules increase in number resulting in redundant/shadowed rules, longer troubleshooting time, degraded performance and very often, hidden threats. Hence, to deter the above-mentioned disadvantages, a well-maintained rulebase on Enterprise firewalls is highly desirable.
Over time, most of the nonessential rules can be related to rules implemented for testing, loss of information, tying a rule with the business requirement when the firewall administration changes hands or rule added or while troubleshooting complex business applications.
Approach for Cleanup: Automated vs Manual
Fortunately, there are a lot of excellent solutions by reputed vendors, which can be used to drastically improve the sanity of the rule base on the firewall. SecureTrack, SkyboxSecurity, Algosec, Athena Firepac, etc are some of the best solutions out in the market, which help manage the firewall rulebase better, thus drastically improving it. They also meet the regulatory requirements of PCI-DSS, etc. Using such commercial tools is advisable for an organization with a large number of Enterprise firewalls. However, small and medium sized organizations can use a structured manual approach to clean the rulebase.
This type of cleanup process can be categorized into 2 phases: the first phase “Low Effort Wins” includes methods that would remove certain types of rules without much effort; while the second phase, “High effort wins” includes methods that would require careful analysis and regrouping or deletion of rules.
Low Effort Wins
Cleanup of expired and disabled rules
Any rule that was created on a temporary basis and has now expired, is eligible for immediate deletion. Disabled rules could also be reviewed and deleted.
Cleanup of redundant rules and objects
Identical and redundant rules can also be flagged for deletion. Comparing the hit counts among the rules could help in identifying the unused rule, which can be deleted. Similarly, redundant objects should also be identified and removed.
High Effort Wins
Identify and remove shadowed rules
Many rules are often masked, completely or partially, by other policies because of a superset of ports allowed by the latter. These shadowed rules should be carefully identified by sorting rules based on services, then evaluating and removing them. Partially shadowed rules can be split into respective groups.
Identify and remove unused rules
Identify unused rules by observing the hit counts on the rule statistics. Monitor the hit count for at least a month and report the list to the Senior Management and Business Owner, thereby seeking approval for cleanup.
Group similar business function access
Careful study of the network and an understanding of business-assisting functionalities will help in grouping rules without affecting the risk associated with them.
Long term measures for maintaining a “clean” rulebase
Maintaining a clean and structured rulebase is important and can be achieved using well-defined operational practices as discussed below.
Standardize the nomenclature and grouping of objects
Devise a standard nomenclature and grouping policy that befits the organization best, e.g. hostname_18.104.22.168, H_22.214.171.124, N_126.96.36.199/24, HR_188.8.131.52, etc. Also, avoid a group within groups unless absolutely imperative. Such practices would help easy identification of redundant and shadowed rules during a cleanup cycle.
Develop a firewall administration policy
Define, document and publish a firewall administration policy that includes various details like grouping of rules based on functionality (Administration, VPN, Business Services), positioning of rules, logging policies, naming conventions, services allowed between zones, etc. This would assist in flagging noncompliant rules during audits and grouping of similar business functional rules.
Briefly document the rule details
Identify and enforce a way of documenting the details of the access required. If a Change Control Process is already used, mandate the collection of details like associated businesses, associated applications, names and contacts of individuals responsible, etc. Also, document the Change control number under the firewall rule description. This would considerably reduce the effort required to backtrack the business requirement associated with unused firewall rules during a cleanup cycle.
Conduct a quarterly review
Just like any other improvement process, this is a continuous cycle that must be monitored by audits and repeated, preferably every quarter, to maintain and improve the rulebase.
- Tufin Firewall Expert Tip #6: How to Cleanup a Firewall Rulebase
- Skybox Certified Firewall Analyzer
- Algosec Firewall Analyzer