How To Clean Up A Firewall Rule Base

Firewalls are a mature technology, right?  Most companies have at least one, if not several. But over time, firewall rule bases tend to become large and complicated. Not long ago, 200-300 rules were considered excessive. Now, it’s not unusual for firewalls to have many hundreds or even thousands of rules, many of which were rendered obsolete when IT operations added new rules to meet business requests but neglected to remove any old ones.

Analysing configurations for a few firewalls, let alone hundreds, has grown beyond the capacity of human computation. That’s why a new class of products – several of which were tested earlier this month by Network World – are quickly rising in popularity to help network administrators catch misconfigurations, avoid conflicting rules, identify vulnerabilities and meet auditing and compliance mandates.

Bloated rule sets

According to a May 2010 CSO article, “Firewall audit tools automate the otherwise all-but-impossible task of analysing complex and bloated rule sets to verify and demonstrate enterprise access controls and configuration change-management processes.”

But even if you only have a couple of firewalls, if they have been in place for even a couple of years, chances are they include rules that are either partially or completely unused, expired or overlap or “shadow” each other.

The problem gets worse if there have been multiple administrators making changes or if there are many firewalls in your organisation.  When the rule base gets big and tangled, it starts to affect firewall performance.  It is difficult to maintain, and it can conceal genuine security risks. And standards such as PCI-DSS require clean up of unused rules and objects.

Business efficiency and security may be the goals, but regulatory requirements frequently open up the budget. The firewall audit market, pegged by Forrester Research at $25 million (£15.7m) to $30 million (£18.9m) in 2009, is fueled by PCI DSS requirements to review firewall and router configurations every six months. These controls also typically come under scrutiny during internal, partner and other regulatory audits.

Best practices

With the help of Tufin Technologies’ customers, I have put together a list of best practices for cleaning up a firewall (or router) rule base:

• Delete fully shadowed rules that are effectively useless.
• Delete expired and unused rules and objects.
• Remove unused connections – specific source/destination/service routes that are not in use.
• Enforce object naming conventions that make the rule base easy to understand. For example, use a consistent format such as host name_IP for hosts. Delete old and unused policies. Check Point and some other vendors allow you to keep multiple rule bases.
• Remove duplicate objects, for example, a service or network host that is defined twice with different names.  Reduce shadowing as much as possibleBreak up long rule sections into readable chunks of no more than 20 rules. Document rules, objects and policy revisions – for future reference.

Enterprises exhaust countless man-hours analysing firewall and router configurations to produce audit reports, only to realise that they do not have a firm grasp on their network access controls and the change-management processes that enable them.

The Network World test lab gave the class of products as a whole a thumbs up.  In addition to the core firewall rule base clean up and optimisation functions, some of the vendors, including Tufin, support a wide variety of switches and routers, which are prone to the same set of issues, and also automate the process for creating, testing, and implementing policy (aka rule) changes.

While compliance automation may be sufficient budget justification, firewall management tools also offer tangible business and operational benefits that go beyond audit woes.

Reuven Harrison is CTO of firewall management vendor Tufin Technologies