AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Search in comments
Filter by Custom Post Type
Posts

Firewall Rule Recertification: Goals, Challenges, and Tips

by

The most constant thing about firewall rules is that they constantly change. Large organizations process tens to hundreds of firewall rule changes every week, to support new applications, new business partner connections, or new organizational changes. As a result – admins add more and more rules to their firewalls, the policies become bloated and cluttered, and eventually much pain occurs.

One thing that is often neglected is getting rid of rules that are no longer needed. Maybe that server has been decommissioned? Maybe the relationship with that company has been terminated? Even if the answer is “Yes”, it’s quite likely that the old firewall rules are still there, because no one asked to remove them.

This is where “Rule Recertification” kicks in. Security-conscious organizations sometimes have a policy that requires every firewall rule to be examined after a year or two, and to be eliminated if it’s no longer necessary for business.

Unfortunately this policy is technically pretty hard to implement. The people that asked for the application probably moved on, the engineers that built it are also no longer available, and records may be sketchy, so finding the right humans to ask is difficult. Furthermore, the same firewall rule may support many applications simultaneously, so there is a big risk of breaking something important with too much zeal. I recall talking to a large bank that employed 20 engineers solely for the task of recertifying rules!

So what can you do? Here are a few ideas that can help:

  • Check the rule usage. All firewalls support issuing logs at a per-rule granularity, and some vendors also support per-rule “hit counters” (that work even if logs are turned off). If there are no logs for the last 12 months on rule 701 – it’s probably not needed any more and it’s pretty safe to get rid of it.
  • … to do this you must have logging turned on, at least on all the rules you want to recertify!
  • Remember to collect usage data for long enough: if you have rules that only fire during the busy shopping season between November and January – better make sure your log collection period covers that time of year!
  • Automate your change request process so you have a searchable audit trail. That way you can check, 2 years after the fact, who asked for this rule, why it was added, who made changes to it and why. These pieces of information will give you crucial starting points on your quest to understand “is this rule still needed”
  • At a minimum, make sure every firewall admin puts comments on the rules – with a date, name, and some explanation of what the rule is for.

Subscribe to Blog

Receive notifications of new posts by email.