Exorcising the rotten rules from your network at Halloween

Is the smell of decay wafting through your network?  It’s likely that the remnants of applications past are lurking in dark corners of your network, ready to make their presence felt in unexpected and scary ways.

All too often, when business applications are decommissioned, they are not removed cleanly from the network and sent to the application graveyard;  they’re simply left to fester.  The rules and policies which those old applications relied on to work then quietly rot away on firewalls and other network devices.

This isn’t just bad network hygiene:  these old rules can introduce security vulnerabilities that lead to compliance violations or damaging breaches – which are truly frightening prospects – as well as compromise the performance of your firewalls.  Let’s take a closer look at why the horrors of rules left behind by dead applications continue to cause problems on enterprise networks, and how they can be exorcised, never to return.

Dead, but still alive

One of the main reasons obsolete applications’ rules get left behind is the sheer pace of change on enterprise networks.  The pressure of keeping up with new applications being deployed, and existing ones being updated or migrated, means that security teams are focused on the applications that are important to the business right now, rather than dealing with those that have been retired.

There’s also the ‘what if’ worry:  what if the old application is needed again?  What if that application’s rules are being used by another application, which could be affected if those rules are removed?

But those old rules can easily move from being a benign to a malign presence.  First, they increase the risk of security gaps, which hackers could exploit.  Second, they make network tasks such as change management and auditing more complex, and can trigger compliance violations. Third, if a new application re-uses an IP address that belonged to an old app, the old app’s rules could give the new system permissions that it shouldn’t have.  And finally, firewall rule bloat risks slowing down your firewalls’ performance, and can shorten their lifespan unnecessarily.

Rule exorcism

So how should you go about finding the old, rotten rules on your networks, removing them, and keeping them at bay in the future?  The key is to implement a rule validation and recertification routine, applying the following four steps to every security rule:

1. Scrutinize your firewall logs to understand the last time that the rule was used. If it was months ago, there’s a good chance it’s obsolete.
2. Check the comments associated with the rule, to see which application it serves and who ‘owns’ the rule.
3. Verify that the application is still in use with the relevant person or team.
4. You can either remove the rule because it is obsolete, or extend its lifespan further if it’s still in active use.

While this process is logical and easy to describe, it’s a huge undertaking if it has to be done manually.  Enterprises often have hundreds or thousands of firewalls, each with thousands of firewall rules.  Combing through each one to see if it’s alive or dead could tie up security teams for weeks, while potentially critical vulnerabilities remain unfixed in the meantime.

However, there is an alternative approach which streamlines the process, making it far easier for security teams.  This involves taking an application-centric approach to rule recertification.  Put simply, it means identifying whether a rule is actually needed to support an existing, live business application – or whether it’s just a rotten remnant of an old app.

This approach starts with identifying all of the firewalls on the organization’s network, with their associated rules, network objects and configurations.  An automation solution can support this process, and provide a detailed report showing unused firewall rules, giving an initial target list of rules for review by security teams.

The next stage is identifying all the applications on the organization’s network.  Again, the automation solution should automatically discover and map the applications and their connectivity flows across the enterprise network.

All firewalls and their rules can then be associated to the applications they support – and the automation solution should highlight the dead rules that are not linked to live applications.  These can then be double-checked prior to being exorcised, with the solution generating an audit trail of the process.

Having bits of old applications decaying on your network isn’t good for your organization’s security or compliance posture.  So why not start cleansing your network of rotten rules this Halloween?