Retire that rule or retain it? Mapping firewall rules to business applications

Network security is defined by a wealth of rules that are constantly changing.

As applications are deployed, modified or migrated, network and security teams need to ensure that appropriate firewall rules are always in place to protect and enable each individual application. But what’s right for today’s needs may not still be valid in six months’ time. Rules can quickly become out-of-date.

Why so much change? There are many reasons. An application that has reached the end of its life will be decommissioned. The firewall rules that protect and support that application are no longer required. Another application might be moved to a different part of the network, adopting a new port or IP address. Old rules will need to be updated to support the new location. When rules are no longer needed, they must be removed so as not to impair performance or expose the network to unnecessary risk.

How do old rules impair performance? Retaining obsolete rules allows an excessive number to build up, slowing firewall execution. They also risk introducing security vulnerabilities that hackers could exploit, and can lead to compliance violations.

Recertification

It’s good practice to conduct a cross-network rule re-certification process every 12 months or so. Proper recertification requires reviewing every single firewall rule within the network environment to determine whether it is still serving business applications or just getting in the way.

So, you see the logic in 12-month re-certification. How should you get started? List out all your firewalls and all the rules they hold. Take into account network segmentation – which area of your network each firewall is protecting and where those areas are segmented (separated off) from each other.

Why is that rule there?

This is a good start, but you still don’t know why each rule exists. Why was the rule needed in the first place? Is the rule still required? If not, can it be retired safely? What are the impacts of deleting old rules on your applications? Who in the organization would know the answers?

Gathering this information is extremely tedious, time-consuming and error-prone if undertaken manually. A typical enterprise may have hundreds or even thousands of firewalls, each with thousands of firewall rules. Combing through every rule and finding the relevant contacts in the pertinent business units to discover if a specific application is still in use creates a prohibitive overhead, tying up staff for weeks.

An application-centric, automated approach to rule recertification streamlines this process and makes it far more accurate. Firewall rules are originally put in place to support and secure business applications, so the correct approach is to identify the rules that need to be recertified based on whether they support existing applications. In order to do this, it’s extremely effective to annotate each rule with the names of the application it supports.

The application-centric approach is best instituted by integrating the enterprise’s application repository system, already maintained by business-application owners, with an automatic network security policy management (NSPM) solution. An application-aware NSPM solution automatically and accurately identifies all the firewalls in the network together with all their rules, network objects and configurations – and automatically maps the applications listed in the repository onto those firewall rules and specifies alongside each rule the application(s) it supports.

With an application-aware NSPM in place, it is a simple process to determine which rules are still in force and which are obsolete. The NSPM identifies all the applications a given rule supports, hence it becomes much easier to find the correct application owners during the rule recertification process. Note that a single rule can support multiple applications – keeping a record of all the applications supported by a rule, eliminating the risk of accidentally removing a rule which is still active.

The right network security policy management solution

The right Network Security Policy Management solution is invaluable as it automatically extracts intelligence from existing application management tools. It puts the relevant security data at your fingertips enabling you to review, recertify and safely keep and remove firewall rules. It keeps your network clear of security holes and performance problems.

Learn more about the benefits of mapping firewall rules to business applications in this video with AlgoSec CTO, Professor Avishai Wool.