AlgoSec Security. Visibility. Governance
   
 
Overview
Policy Optimization
Rule & Object Cleanup
Risk Management
Change Management
Cisco PIX to ASA Migration
Server IP Migration
Automated Audit
Managed Services
Security Compliance
Flash Demos
White Papers
 

Rule & Object Cleanup

Firewall policies are in a constant state of flux to meet constantly changing enterprise needs. Firewall administration teams in large organizations often process dozens of rule additions and changes daily. This continuous change causes the firewall configuration to grow dramatically over time. A huge and subsequently complex firewall configuration is hard to manage and may require lengthy research in order to add or change a rule. Moreover, the complexity of the configuration decreases the firewalls performance and may lead to potential security breaches.

Finding unused rules that have not matched any traffic, duplicate rules, and rules that are covered by other rules is a complex manual task for the firewall administrator. It may take days of investigating just to locate such rules in huge firewall configurations, while at the same time the firewall is continuing to change daily due to user requests.

It also is important to note that each rule has its own unique internal identifier (UID) which matches traffic logs with corresponding rules. The AlgoSec Firewall Analyzer (AFA) ensures that Rules, Objects and NAT usage reports remain accurate even as rule numbers inevitably change over time.

AFA software can help companies clean up their firewall policies -- while maintaining the integrity of the security policy --  easing the network administrator’s job while boosting firewall performance and eliminating security holes. AFA does this by automatically and continuously locating:

  • Unused rules: Rules that have not matched any packet during a specified time. AFA looks at the firewall logs and compares the actual traffic to the rules in the policy. Unused rules are ideal candidates for removal. Often the application has been decommissioned or the server has been relocated to a different address. The period of time for which AFA checks the rule usage is configurable.

  • Covered or duplicated rules: Rules that can never match traffic because a prior rule or a combination of earlier rules prevents traffic from ever hitting them. During firewall cleanup such covered or duplicated rules can be deleted since they will be never used. Covered and duplicated rules cause the firewall to spend precious time on nothing and decrease its performance.
     
  • Rules covered by subsequent rules: Rules that are special cases as they cannot match traffic because subsequent or a combination of subsquent rules makes them redundant. During firewall cleanup such covered or special rules can be deleted. Like duplicated rules that can never match traffic because a prior rule or combination of prior rules prevents this, special case rules also cause the firewall to waste precious time and are good candidates for removal.
  • Disabled rules: Rules that are marked “disabled” and are not in operation. Disabled rules are ideal candidates for removal, unless the administrator opts to keep them for occasional use or for historical record.
     
  • Time‐inactive rules: Rules that were active for a specified time in the past and that time has expired. For example, a Check Point time clause on a rule does not contain a field for the year. Therefore rules that were active for a specific period will become active again at the same time the next year. Retaining such rules introduces potential security holes.
     
  • Rules without logging: Rules that are defined not to generate logs. Generally, corporate guidelines dictate that maximum rule usage is tracked. Since log information consumes a large amount of disk space, administrators often configure highly used rules that control low risk traffic not to generate logs. Listing the rules without logs will help the administrator to verify that the lack of audit for these rules is not in contravention to corporate policy.
     
  • Least used rules and most used rules: Rules that matched the smallest number of packets or the largest number over a predefined and configurable period of time. The rules usage statistics helps the administrator in the cleanup process and leads to significant performance improvements: The administrator may want to reposition most used rules higher in the configuration and least used rules lower. Rules with zero hit count may be removed.
     
  • Rules without comments: Rules without a text explanation. Check Point and Juniper firewalls allow the administrator to add a free text that is usually used to describe the rule usage, the reason for creating the rule or any other information associated with the rule. Often corporate policy requires an explanation for each rule so defining rules without inputting comments often contravenes corporate policy.
     
  • Rules with unused objects: Rules with unused objects are identified. Unused objects within rules make them ideal candidates for possible removal for cleanup.

For more information read our White Paper on Firewall Rule Cleanup



AlgoSec’s Firewall Analyzer is a must have for anyone who manages a rule set of 100 or more.


Network World Magazine



By creating FireFlow using the AFA engine, AlgoSec has effectively created a solution that can automate the entire network security lifecycle...


Frost & Sullivan Analyst



We quickly saw a clear return on our investment with the AlgoSec Firewall Analyzer...


Anton Spitzer,
Infrastructure Services, Porsche Informatik



The AFA allows us to get all of our firewall information in one place, providing IT Governance and visibility where it did not exist.


Anton Spitzer,
Infrastructure Services, Porsche Informatik



Network security VARs, take note: AlgoSec’s FireFlow network policy change workflow management software is the next hot-ticket item for customers.


eWeek Magazine



The AlgoSec Firewall Analyzer fills a critical need for us by automating what was a manual, labor intensive and error prone process.


Anton Spitzer,
Infrastructure Services, Porsche Informatik



By utilizing AFA we no longer require the services of an external source to perform an audit.


Ruza Manojilovic,
Manager Security Operations Teranet



It (AFA) easily and quickly provided Atos Worldline with the ability to understand, track and verify changes to our firewall infrastructure…


Massoud Kamran,
Security Consultant at Atos Worldline Belgium



AlgoSec Firewall Analyzer’s automated and intelligent analysis lets us know the implications of a change and avoid potential risks which save us time, effort and money.


Peter Johannes,
head of Security and Architecture Policy at Atos Worldline Belgium



AlgoSec’s Firewall Analyzer has helped us significantly improve our overall network security.


Ruza Manojilovic,
Manager Security Operations Teranet



Using AFA’s turnkey solution for PCI DSS has been invaluable for us in terms of time and effort.


Ruza Manojilovic,
Manager Security Operations Teranet



By utilizing AFA we no longer require the services of an external source to perform an audit.


Ruza Manojilovic,
Manager Security Operations Teranet.



With the AFA we can focus on what is most important to Porsche Informatik – our customers.


Anton Spitzer,
Infrastructure Services, Porsche Informatik



AlgoSec affords us realizing operational efficiencies in global security policy management and compliance.


Hugo Van der Veeken,
Atos Worldline SA/NVsecurity department head