Firewall Spring Cleaning : 2007 : Frequency-X Blog : Blog : Home | ||
|
Firewall Spring Cleaning You’d think that after nearly twenty years of firewalls being the frontline defense for enterprises, all the kinks would have been worked out by now. To be fair, as defenses go, the good old firewall has stood up surprisingly well in the face of increasingly complex networked environments and ever demanding applications. The kinks I’m talking about have nothing to do with a specific technology implementation or configuration interface, not even how they are being deployed, but rather the way in which they are maintained. Like a much loved toy relegated to the bottom of the storage box after years of play, firewalls often find themselves similarly tucked away and forgotten about. Firewall Rulesets Over the weekend I had the opportunity to help a friend optimize a fairly complex firewall policy. I remember the last time I helped review this particular enterprise firewall and had to sift through its ruleset – if memory serves me well, it was something like three years ago. Over that period the ruleset had accumulated an additional couple of hundred rules and had made it a nightmare to maintain (not to mention the degradation of system performance and security). Not only was maintenance difficult, but the increase in additional rules and their alerts had swamped the event logs to such a degree that any team supposed to monitor them had pretty much given up on the firewall and would never have been able to spot an attack in progress. Deciphering a big firewall ruleset isn’t precisely a trivial task (but it is tedious). While there are a handful of free tools out there that do a pretty good job at flagging redundant and superseded rules, none of the tools account for the actual context of the rule. For example, it takes a human to look at a rule named “temp_payment_srv2” which allows remote access to TCP port 8080 on a host called “betaSRV2”, situated in the “QA” VLAN – and to question whether that host still exists and whether the rule is genuinely required. By the time I had gone through several rounds of Q&A to find out what a particular host or network segment did and whether it was still needed, the ruleset had shrunk down to about one-third of its starting size – and finally required about one-fifth the number of alerting rules. Spring Cleaning Over the years I guess I’ve had to do this kind of thing to maybe thirty or forty large enterprise firewalls – sifting through rulesets, deciphering network topology maps, consolidating rules, and optimizing the security performance of the firewall. Unfortunately it doesn’t get any easier over time, and the longer someone leaves it between “spring cleans” the tougher it gets. For those of you contemplating the tuning and optimization of an enterprise firewall, some of the things I’d recommend when tuning rulesets include:
Whether you prefer the proverb “a pinch of prevention is worth a pound of cure” or “a stitch in time saves nine”, I wholeheartedly recommend that enterprises undertake an annual review of their firewall rulesets. Think of it as a little bit of spring cleaning and preventative maintenance all rolled into one. |
|