The consequence of poor management is a firewall policy with unnecessary rules that result in excessive complexity, overly permissive access, unnecessary risk and performance degradation, all of which lead to higher costs that can be avoided. These problems can be addressed with both short-term and long-term activities to clean up the firewall.
It is not uncommon for a firewall to have hundreds or even thousands of rules, many of which were inherited by the current IT Manager and are not even documented correctly, therefore it is difficult to understand why the rule was implemented in the first instance and who owns the rule.
Other issues in maintaining a firewall are:
Unused firewall rules
Unused firewall rules don’t directly cause any security issues if they are left unattended or updated, however, they can cause serious performance issues to your firewall estate and we have even seen customers invest in new, larger firewalls to improve performance rather than optimising their current solutions. The other issue faced by the IT Manager is identifying which rules are unused in the first place.
Shadow rules
A Shadow rule are rules that match the query, but will never actually handle any of the traffic included in the query. All the traffic included in both the rule and the query is handled by a rule or rules higher up in the rule base.
Again, as with an unused rule this is more likely to affect the firewall performance rather than present a security issue.
Expired rule
An expired rule is a temporary rule that is often written for a contractor or someone similar to allow them to perform a task for a certain time. The pitfalls with expired rules are that if the expiry date is not accurate you can introduce a security risk to your organisation, and as with unused and shadow rules, once they have expired performance issues arise.
Unattached objects
A firewall object will have interface and IP address objects that mirror the real interfaces and IP addresses of the actual device. In addition, the firewall object is where you create the access policy rule sets, an unattached object is where the attached device has been removed or replaced. This can cause a security issue within your organisation and performance issues.
Compliance
Compliance often means your organisation will need to review their firewall rule sets at least every six months. Complying with this requirement means having a report to show rule sets were in fact reviewed, and that any questionable rules from the last audit were addressed, also any changes to rules since the last audit were dealt with properly. Around one third of companies fail to provide the required documentation to satisfy the auditor on this point because of poor processes.
FireMon may have the answers…
FireMon’s Security Manager platform was designed to address the three biggest challenges in firewall monitoring and management: gives network and security teams a single, definitive view into the configurations of devices made by all major firewall vendors, including those in the cloud, and presents the data in a centralised, real-time, dashboard that provides customisable reports to inform management processes.
How FireMon Do It
- Real-time security analysis – Gauge the efficacy of your existing firewall policies, including comparative scoring, to understand current access enforcement.
- Policy search – Quickly search all devices within the enterprise domain from a single place in the application.
- Traffic flow analysis – Trace the source and destination of every rule in each of your existing firewall policies (including NAT) to understand traffic flow.
