Your organization’s firewall is the first line-of-defense against cyber-attacks and it is where the implementation of the access policies takes place. In a typical organization firewall policies are constantly changing to respond to various threats and adapt to changes in the network environment. Therefore, regular audit of the firewall rules is necessary, not only to maintain the security of the network, but also to ensure the correct and optimal functioning of the firewall as policy rules continue to grow more granular and complex.
Such firewall audit should look for some common problems that result from frequent changes to firewall policies and provide recommendation on how to correct them. Among the common problems to watch for are:
- Excessively permissive rules: Rules that use “any” or “*” in one or more of its fields permit more packets than what is required for the network operations. These rules increase the risk of exploitation.
- Redundant rules: A rule is redundant if there is another (prior or subsequent) rule that matches the same packets and requires the same action such that if the redundant rule is removed, the security policy will not be affected. Redundant rules enlarge the size of the security policy unnecessarily and degrade the firewall’s performance.
- Shadowed rules: This situation occurs when a rule matches all the packets that subsequent rules should match but with a different action. Shadowed rules are problematic because they are never activated, resulting in an incorrect implementation of the security policy.
- Unused rules: This includes rules that have not matched any packets for a significant period of time. They are often caused by a change in the network or the applications that is not reflected in the firewall policy. These rules clutter the firewall policy and decrease performance. They also slow policy maintenance and hinder troubleshooting problems.
- Disabled rules: These are rules that are marked as inactive of disabled but are not yet removed from the policy. Unless they are kept for a good reason, disabled rules increase the clutter and memory usage.
The sound practice is to perform regular audits (e.g. twice a year) to clean up all redundant, unused, and disabled rules that may have been caused by removing services that are no longer exist, temporary exceptions, network upgraded, mergers and so on. It is also extremely important to find and correct shadowed rules and restrict the wide open rule rules to improve security and adhere to the organizations security policy.
Manual audit of firewall policy rules is tedious and error prone. It also adds significant load to the network administrators. Yet, the audit is necessary or even mandated for compliance purposes. To overcome these challenges, some automation of the audit process can reduce complexity and achieve significant performance improvements.
At DynamikNets, we have developed the tools to automate firewall policy audits and recommend improvements. The tools inspect firewall configurations from major vendors and identify rule anomalies and other problems. Combined with manual review of other firewall data, we are able to provide our customers with comprehensive recommendations of the changes that need to be made to the firewall rules to optimize performance.