AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Filter by Custom Post Type
Posts

Changing the rules without risk: mapping firewall rules to business applications

by

As IT security becomes ever more business critical, most organizations have accumulated large numbers of complex firewall rulesets across their many security devices. These rulesets are regularly changed and added to and, as a result, they become bloated, in part because security teams are worried about the repercussions of cleaning up. Deleting a rule can be nerve-wracking since it might inadvertently cause an outage, or a gap in the security perimeter.

But not cleaning up rulesets is just as dangerous. Bloated rulesets add significant security risk, they add complexity and delays to policy change management processes, and they can impact the performance of your firewall appliance. In a typical firewall audit, for example, an external auditor may point to a rule and ask “what does rule 300 do, and is it still needed?”  More often than not the firewall administrator will not know the answer, especially if the rule has been in place for long time, and he or she will then have to spend long hours trying to find out.

AlgoSec’s security policy management solution is that it assists organizations with their firewall rule clean-up processes, checking which rules are serving a valid purpose and which ones are redundant. This is done by tracking a rule’s usage over long time periods. If a rule hasn’t been used within a certain time period, say 8 months, the assumption is that it’s probably not needed and therefore no application will break or become insecure if it’s deleted.

However, there is still a risk of unexpected consequences. Even though a given rule wasn’t used during the monitoring period, is it really redundant, or is it still required occasionally, for example during a DR failover, or to allow additional traffic volume in the lead up to the holiday season?  To make an informed decision, the firewall administrators need to know which business applications rely on each firewall rule.

Our recent release of the AlgoSec solution (v.611) associates firewall rules with their respective business applications, and provides a detailed, documented inventory of all the applications and connectivity each rule supports. This capability is supported through AlgoSec BusinessFlow, which now automatically annotates the firewall rules with links to the applications relying on them – and keeps this annotation up-to-date throughout the application’s lifecycle.

So now, when assessing the validity of a rule, the administrator doesn’t just rely only on whether the rule has been used within a specific timeframe: he/she can immediately see whether or not the rule supports a business application. This helps eliminate the potential risks of firewall rule removal and simplifies the decluttering process. The actual clean-up and decommissioning can then be automatically processed through AlgoSec’s zero-touch security policy change management.

There are several key benefits to linking firewall rules to their business applications.

  • Enhanced reporting for audits – If an auditor now asks about the purpose of a specific rule, it’s all documented. The firewall manager can simply click on the rule to see every application it supports, which business unit owns the application, the technical contact for that application, what other applications its connected to and the traffic flows it requires to properly function.
  • Removes the ‘false positive’ risk – By providing firewall administrators with one click access to an inventory of every application supported by individual rules they are able to accurately assess if a rule is truly ‘unused’, or whether the lack of current activity is due to factors such as seasonal differences in traffic.
  • Business context for change requests – when planning to modify, add or remove rules to support a change request, the administrator can quickly identify the relevant application owners and work with them to assess the impact the planned changes could have on the application and on the business.
  • Enhanced visibility for rule maintenance – when undertaking ruleset maintenance or clean-up firewall administrators now have a single view of all applications and flows linked to individual rules, ensuring that the process is risk free and focused on ensuring that critical business processes are not impacted.

By tying firewall rules to business applications, we continue to focus on enabling our customers to align their security with their business processes so that they can be more agile, more secure and more compliant – all the time.

Click here to find out what else is new in AlgoSec 6.11.

Subscribe to Blog

Receive notifications of new posts by email.