The most constant thing about firewall rules is that they constantly change. Large organizations process tens to hundreds of firewall rule changes every week, to support new applications, new business partner connections, or new organizational changes. As a result – admins add more and more rules to their firewalls, the policies become bloated and cluttered, and eventually much pain occurs.
One thing that is often neglected is getting rid of rules that are no longer needed. Maybe that server has been decommissioned? Maybe the relationship with that company has been terminated? Even if the answer is “Yes”, it’s quite likely that the old firewall rules are still there, because no one asked to remove them.
This is where “Rule Recertification” kicks in. Security-conscious organizations sometimes have a policy that requires every firewall rule to be examined after a year or two, and to be eliminated if it’s no longer necessary for business.
Unfortunately this policy is technically pretty hard to implement. The people that asked for the application probably moved on, the engineers that built it are also no longer available, and records may be sketchy, so finding the right humans to ask is difficult. Furthermore, the same firewall rule may support many applications simultaneously, so there is a big risk of breaking something important with too much zeal. I recall talking to a large bank that employed 20 engineers solely for the task of recertifying rules!
So what can you do? Here are a few ideas that can help:
Receive notifications of new posts by email.