AlgoSec Security. Visibility. Governance
   
 
Overview
Policy Optimization
Rule & Object Cleanup
Risk Management
Change Management
Cisco PIX to ASA Migration
Server IP Migration
Automated Audit
Managed Services
Security Compliance
White Papers
 

Policy Optimization

Enterprises have hundreds if not thousands of firewall rules and objects and they just keep changing and growing. As the first and continued line of defense this constant flux decreases the firewall’s performance while increasing an enterprise’s potential exposure to security breaches.

In addition to some rules becoming obsolete, there are unused, duplicated, covered and other rules that contribute to a bloated and inefficient firewall infrastructure. The AlgoSec Firewall Analyzer’s (AFA) patent pending Intelligent Rule Re-Ordering provides recommendations for re-ordering rules to improve an enterprise’s firewall performance – while taking the firewall’s actions into account to ensure that the policy decisions are preserved.

The AFA recommendations offer the firewall administrator a new position for rules to optimize performance. The administrator can decide whether to move the rule to its exact new recommended position or to another position in the same area that maintains the filtering logic, while keeping blocks of rules intact.

In order to provide a measurable attribute for firewall performance that will demonstrate the improvement of the policy optimization, AlgoSec defined a new metric called Rules Matched Per Packet (RMPP). RMPP is a calculation of the average number of rules the firewall tested until it reached the rule that matched a packet (including the matched rule).

Firewalls do in fact test the rules in sequence, one after another, until they reach the matching rule, and each tested rule contributes to the firewall’s CPU utilization. Therefore, optimizing the policy to decrease the RMPP score will decrease the firewall CPU utilization and greatly improve overall performance.

The AFA Intelligent Rule Re-ordering feature provides recommendations for the optimized position per each rule based on the current traffic mix as seen in the firewall logs.

Implementing the AFA computed optimal rule order in a policy consisting of hundreds of rules may not be feasible. To address this common situation, AFA offers a top-10 list. This list is comprised of the 10 rule-relocation recommendations which provide the greatest improvement.

Although the AFA provides recommendations on new positions for each rule, in many cases a handful of rule relocations are sufficient to produce a dramatic drop in RMPP, significantly increasing performance. Often moving only a single rule which is not among the top used, but is located low in the firewall policy, will provide the greatest value. AFA Intelligent Rule Re-ordering will help to achieve the maximal outcome for the minimal investment.

For more information on optimizing your rule base read our White Paper on Firewall Rule Cleanup
 
Why AlgoSec
Get A FREE Evaluation
Satisfaction Guarantee
How To Buy