Firewall administration involves constantly searching for ways to improve firewall management, increase firewall performance and remove network security threats. Keeping a firewall properly configured and operating at peak efficiency is a constant challenge for network administrators. With the right kind of firewall management technology, Knowledge Center contributor Dr. Avishai Wool explains how you can rid your firewall of clutter and improve its security and performance..jpg)
Firewalls are the first and continued line of defense for enterprises today, handling vast amounts of traffic across the corporate network. On the perimeter alone, firewalls filter millions of packets daily. The corporate security policy implemented in these firewalls often consists of hundreds, or even thousands, of rules and objects. Objects may include groups of servers, user machines, sub-networks in the data center, and networks in company branch offices or DMZs (demilitarized zones). The firewall rules define which type of applications and which network services are allowed to traverse between networks - and which should be blocked.
Since business needs are dynamic, firewall policies are constantly being changed and modified. Firewall administration teams in large organizations often process dozens of rule additions and changes daily. This continuous flux causes the firewall configuration to grow dramatically over time. A huge and, subsequently complex, firewall configuration is hard to manage and may require lengthy research in order to add or change a rule.
Moreover, the complexity of the configuration decreases the firewalls performance and may lead to potential security breaches. For example, if a rule is created to allow a temporary service to work for a limited time, but the administrator fails to delete the rule after the task is finished, this introduces real security risks.
It is a complex manual task for the firewall administrator to find unused rules that have not matched any traffic, duplicate rules and rules that are covered by other rules. It may take days of investigating just to locate such rules in huge firewall configurations. Meanwhile, simultaneously, the firewall is continuing to change daily due to user requests.
With the right kinds of firewall management technology in place, companies can clean up their firewall rules and policies, ease the network administrators job, boost firewall performance and eliminate security holes. The following are five examples of clutter that firewall management technology can automatically and continuously locate and remove:
Clutter type #1: Unused rules
Unused rules are rules that have not matched any packet during a specified time. By examining firewall logs and comparing the actual traffic to the rules in the policy, unused rules are ideal candidates for removal. Often, the application has been decommissioned or the server has been relocated to a different address.
Clutter type #2: Covered or duplicated rules
Covered or duplicated rules are rules that can never match traffic because a prior rule (or a combination of earlier rules) prevents traffic from ever hitting them. During firewall cleanup, such covered or duplicated rules can be deleted since they will be never used. These types of rules cause the firewall to spend precious time for nothing, decreasing its performance.
Clutter type #3: Disabled rules
Disabled rules are rules that are marked disabled and are not in operation. Disabled rules are also ideal candidates for removal - unless the administrator keeps them for occasional use or for historical record.
Clutter type #4: Time inactive rules
Time inactive rules are rules that were active for a specified time in the past and that time has expired. Surprisingly, a top firewall vendors time clause on a rule does not contain a field for the year. Therefore, rules that were active for a specific period will become active again at the same time the following year. Retaining such rules introduces potential security holes.
Clutter type #5: Unnecessary objects
Ideally, a firewall management solution should analyze the following: unattached objects (objects that are not attached to any rule), empty objects (objects that do not contain any IP address or address range), and unused objects (objects whose address ranges didnt match any packet during a specified time). By removing the unnecessary rules and objects that clutter firewalls, the complexity of the firewall policy is reduced. This improves management, increases performance and removes potential security holes.
By taking action on these five types of firewall clutter, firewall administrators can achieve significant and measurable performance improvements for their complex corporate firewalls, thereby increasing security. By using the right kind of firewall management solution, organizations can replace the manual, inefficient and potentially error-prone task of managing complex firewall, router and VPN configurations. And they can do so while optimizing firewall performance and prioritizing action, based on quantifiable risk exposure.
Dr. Avishai Wool is Chief Technology Officer and Co-Founder of AlgoSec, a provider of Firewall Operations and Security Risk Management solutions. He co-founded the company while he was an Assistant Professor in the School of Electrical Engineering at Tel Aviv University.
He is also the Associate Editor of the ACM Transactions on Information and System Security. He has served on the program committee of the leading IEEE and ACM conferences on computer and network security. He has published more than 40 research papers, and holds seven U.S. Patents, with many more pending.
His primary areas of research include computer and network security, data communication networks and distributed computing. He holds a B.S. (Cum Laude) in Mathematics and Computer Science from Tel Aviv University, and a M.S. and Ph.D. in Computer Science from the Weizmann Institute of Science. He can be reached at avishai.wool@algosec.com.
Network Security & Hardware 
/ 18 
