Rule & Object Cleanup
Firewall policies are in a constant state of flux to meet constantly changing enterprise needs. Firewall administration teams in large organizations often process dozens of rule additions and changes daily. This continuous change causes the firewall configuration to grow dramatically over time. A huge and subsequently complex firewall configuration is hard to manage and may require lengthy research in order to add or change a rule. Moreover, the complexity of the configuration decreases the firewalls performance and may lead to potential security breaches.
Finding unused rules that have not matched any traffic, duplicate rules, and rules that are covered by other rules is a complex manual task for the firewall administrator. It may take days of investigating just to locate such rules in huge firewall configurations, while at the same time the firewall is continuing to change daily due to user requests.
AlgoSec Firewall Analyzer (AFA) software can help companies clean up their firewall policies, easing the network administrator’s job while boosting firewall performance and eliminating security holes. AFA does this by automatically and continuously locating:
-
Unused rules: Rules that have not matched any packet during a specified time. AFA looks at the firewall logs and compares the actual traffic to the rules in the policy. Unused rules are ideal candidates for removal. Often the application has been decommissioned or the server has been relocated to a different address. The period of time for which AFA checks the rule usage is configurable.
-
Covered or duplicated rules: Rules that can never match traffic because a prior rule or a combination of earlier rules prevents traffic from ever hitting them. During firewall cleanup such covered or duplicated rules can be deleted since they will be never used. Covered and duplicated rules cause the firewall to spend precious time on nothing and decrease its performance.
-
Disabled rules: Rules that are marked “disabled” and are not in operation. Disabled rules are ideal candidates for removal, unless the administrator opts to keep them for occasional use or for historical record.
- Time‐inactive rules: Rules that were active for a specified time in the past and that time has expired. For example, a Check Point time clause on a rule does not contain a field for the year. Therefore rules that were active for a specific period will become active again at the same time the next year. Retaining such rules introduces potential security holes.
-
Rules without logging: Rules that are defined not to generate logs. Generally, corporate guidelines dictate that maximum rule usage is tracked. Since log information consumes a large amount of disk space, administrators often configure highly used rules that control low risk traffic not to generate logs. Listing the rules without logs will help the administrator to verify that the lack of audit for these rules is not in contravention to corporate policy.
-
Least used rules and most used rules: Rules that matched the smallest number of packets or the largest number over a predefined and configurable period of time. The rules usage statistics helps the administrator in the cleanup process and leads to significant performance improvements: The administrator may want to reposition most used rules higher in the configuration and least used rules lower. Rules with zero hit count may be removed.
- Rules without comments: Rules without a text explanation. Check Point and Juniper firewalls allow the administrator to add a free text that is usually used to describe the rule usage, the reason for creating the rule or any other information associated with the rule. Often corporate policy requires an explanation for each rule so defining rules without inputting comments often contravenes corporate policy.
For more information read our White Paper on Firewall Rule Cleanup
|
