Firewalls are an important line of defense for enterprises, handling vast amounts of traffic. On the perimeter alone firewalls typically filter millions of packets daily. The corporate security policy implemented in these firewalls often consists of hundreds or even thousands of rules and objects. Objects may include groups of servers, user machines, sub-networks in the data center, and networks in company branch offices or DMZs. The firewall rules define the type of applications and network services allowed to traverse between networks.
Since business needs are dynamic, firewall policies are constantly changed. Firewall administration teams in large organizations often process dozens of rule additions and changes daily. This continuous flux causes firewall configurations to grow dramatically over time. A huge and subsequently complex firewall configuration is hard to manage and may require lengthy research to add or change a rule.
Moreover, complexity decreases the firewall's performance and may lead to potential security breaches. For example, say a rule was created to allow a temporary service to work for a limited time, but the administrator failed to delete the rule after the task was finished. This could introduce real security risks.
Finding unused rules, duplicate rules, and rules that are covered by other rules is a complex manual task for a firewall administrator. It may take days of investigating just to locate such rules in huge firewall configurations.
With the right kinds of firewall management technology in place, companies can clean their firewall rules and policies, ease the network administrator's job, boost firewall performance and eliminate security holes.
Five examples of clutter that firewall management technology can automatically and continuously locate and remove include:
1. Unused rules: Rules that have not matched any packet during a specified time. By examining firewall logs and comparing the actual traffic to the rules in the policy, unused rules are ideal candidates for removal. Often the application has been decommissioned or the server has been relocated to a different address.
2. Covered or duplicated rules: Rules that can never match traffic because a prior rule or a combination of earlier rules prevents traffic from ever hitting them. During firewall cleanup such covered or duplicated rules can be deleted since they will be never used. Covered and duplicated rules cause the firewall to spend precious time for nothing and decrease its performance.
3. Disabled rules: Rules that are marked “disabled” and are not in operation. Disabled rules are ideal candidates for removal, unless the administrator keeps them for occasional use or for historical record.
4. Time inactive rules: Rules that were active for a specified time in the past and that time has expired. Surprisingly, instances of time clauses on a rule have been found that do not contain a field for the year. Therefore rules that were active for a specific period would become active again at the same time next year. Retaining such rules introduces potential security holes.
5. Unnecessary Objects: Ideally a firewall management solution should analyze the following:
- unattached objects - objects that are not attached to any rule,
- empty objects - objects that do not contain any IP address or address range and
- unused objects - whose address ranges didn't match any packet during a specified time.
By removing the unnecessary rules and objects that clutter firewalls, the complexity of the firewall policy is reduced. This improves management, performance increases, and potential security holes are removed.
By taking action on these five types of firewall clutter, firewall administrators can achieve significant and measurable performance improvements for their complex corporate firewalls and increase security. And with the right kind of firewall management solution that automatically and continuously reduces clutter and improves security, organizations replace the manual, inefficient and potentially error-prone task of managing complex firewall, router and VPN configurations while optimizing firewall performance and prioritizing action based on quantifiable risk exposure.
