AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Search in comments
Filter by Custom Post Type
Posts

3 Things You Can Do Today to Improve Your (“Grossly Overstated?”) Firewall Performance

by

The report from independent lab NSS is making news today. NSS labs evaluated six network firewalls (from Check Point, Juniper, Cisco, Fortinet, Palo Alto and Sonicwall) and discovered that three of the six firewalls failed to stay operational when subjected to stability tests. It also found that the performance claims presented in the vendor datasheets “are generally grossly overstated.”

While the former is quite startling, latter isn’t likely to surprise anyone. In addition to potential “padding” of performance numbers by firewall vendors, one has to consider the impact of the ruleset on performance. A firewall typically processes the ruleset sequentially until it finds a rule that matches traffic. An ever-increasing ruleset (and firewall rules that never get retired) inevitably results in performance degradation. One can only wonder which of the rulesets tested to produce performance numbers resemble real-life scenarios, those used by the vendors or by NSS labs?

But here are three simple things any firewall administrator can do today to improve firewall performance:

  1. Remove unused, duplicate, and shadowed rules and objects – these rules and objects do not add any business value, and create unnecessarily “work” for the firewall.
  2. Consolidate similar rules – For example, rules with the same source and destination but different services can be consolidated to form one rule. Less rules, less work.
  3. Reorder rules for performance – you can look at log data or hit counters, depending on the type(s) of firewalls you have, to identify the rules with the most hits. By promoting these rules to the highest possible place in the ruleset (that is, the highest place that does not break the policy logic) you will reduce the average number of rules the firewall has to process before it finds a match.

These simple three steps can be done using a manual analysis, or by using automated tools such as AlgoSec Firewall Analyzer. You can take a look of the video below to see how an automated analysis works in this case.

Subscribe to Blog

Receive notifications of new posts by email.