Just in time for Halloween: 5 tips for exorcising security policy bloat

With Halloween next week, it’s a good time to ask yourself: is my network haunted?

No, we’re not talking about whether or not you believe in the supernatural. Rather, let’s focus on an aspect of network security management that is often neglected – old, obsolete and duplicate firewall rules and policies.

In today’s dynamic cyber landscape, where firewall rules are added and updated on a daily or even hourly basis, it is all too easy for security policies to become unnecessarily bloated and cluttered.

Security policy bloat happens because network security engineers are afraid to remove policies ‘just in case’ – just in case they are needed again, just in case they are used by another application, or just in case their removal could inadvertently cause an outage.

As a result you often end up with duplicate rules, unnecessary rules, or rules that are now obsolete because they previously belonged to a decommissioned application. Just like the shadowy figure in the classic ghost stories, these rules are often overlooked – but they can make their presence felt in some unpleasant and potentially dangerous ways.

Overly extended security policies don’t just add complexity to daily tasks such as change management, troubleshooting and auditing. They can also impact the performance of your firewall appliances, decrease the hardware’s lifespan and increase TCO. Obsolete security rules left over from decommissioned applications are even more sinister; they can create security holes in your network perimeter, which cybercriminals may exploit to access your network.

Clearly security policy bloat is a complex burden for network security managers and it potentially introduces significant security risks as well as performance problems. But safely removing rules is not always easy and there’s always the risk that you may cause an application outage by doing so.

So what steps can you take to safely exorcise these ghost rules lurking in your firewalls? Here’s a five step process for reducing security policy bloat:

1. Audit and assess. The first step is to conduct a full audit of your firewall estate. This will give you the visibility into your security policy and its risks and compliance status you need to clean up your firewall rules. This should include visibility of unused rules, ‘covered’ rules (e.g.  rules that would never be executed because of a previous rule), unrouted rules (e.g. rules that do not flow through this device) and more. 
2. Consolidate. Calculate whether similar or overlapping rules can be consolidated into one. Fewer rules equals less work, less room for error and greater visibility.
3. Remove. Then get rid of the unused, duplicate and unnecessary rules and objects that don’t provide any security or business value, including rules that are associated with decommissioned applications. But before you make any changes make sure to assess the risk that each firewall rule deletion will have on both network security and compliance.
4. Tighten Overly Permissive Rules – Permissive rules either allow more devices onto the network than they should or grant users more privileges than are necessary. So tighten rules to restrict devices or user access to only what’s needed.
5. Reorder. For the best performance and security you need to place rules in a hierarchical order according to how often they are used. Examine log data to identify the firewall rules with the most hits and prioritize them accordingly in your ruleset. This will reduce the average number of rules that the security appliance has to process before it finds a match, and therefore improve both security and performance.

Going forward it’s far more effective and efficient to maintain policy hygiene by proactively and intelligently designing each rule change – thus reducing the possibility of bloat occurring in the first place. Using an automation solution to manage security will significantly speed up this processes, reduce the number of mistakes and the risks, and enable you to remain secure and compliant at all times.

Confronting your policy poltergeists may be a scary prospect, but the chaos that they can inflict if they are allowed to freely exist on your firewalls will ultimately prove to be far more daunting.  So why not exorcise the spirits of firewall rules long since forgotten this Halloween?