Firewalls are the first and continued line of defense for enterprises today, handling vast amounts of traffic across the corporate network. On the perimeter alone, firewalls filter millions of packets daily. The corporate security policy implemented in these firewalls often consists of hundreds, or even thousands, of rules and objects. Objects may include groups of servers, user machines, sub-networks in the data center, and networks in company branch offices or DMZs (demilitarized zones). The firewall rules define which type of applications and which network services are allowed to traverse between networks – and which should be blocked.
Since business needs are dynamic, firewall policies are constantly being changed and modified. Firewall administration teams in large organizations often process dozens of rule additions and changes daily. This continuous flux causes the firewall configuration to grow dramatically over time. A huge and, subsequently complex, firewall configuration is hard to manage and may require lengthy research in order to add or change a rule.
Moreover, the complexity of the configuration decreases the firewall’s performance and may lead to potential security breaches. For example, if a rule is created to allow a temporary service to work for a limited time, but the administrator fails to delete the rule after the task is finished, this introduces real security risks.
It is a complex manual task for the firewall administrator to find unused rules that have not matched any traffic, duplicate rules and rules that are covered by other rules. It may take days of investigating just to locate such rules in huge firewall configurations. Meanwhile, simultaneously, the firewall is continuing to change daily due to user requests.
With the right kinds of firewall management technology in place, companies can clean up their firewall rules and policies, ease the network administrator’s job, boost firewall performance and eliminate security holes. The following are five examples of clutter that firewall management technology can automatically and continuously locate and remove:
Clutter type #1: Unused rules
Unused rules are rules that have not matched any packet during a specified time. By examining firewall logs and comparing the actual traffic to the rules in the policy, unused rules are ideal candidates for removal. Often, the application has been decommissioned or the server has been relocated to a different address.
Clutter type #2: Covered or duplicated rules
Covered or duplicated rules are rules that can never match traffic because a prior rule (or a combination of earlier rules) prevents traffic from ever hitting them. During firewall cleanup, such covered or duplicated rules can be deleted since they will be never used. These types of rules cause the firewall to spend precious time for nothing, decreasing its performance.
Clutter type #3: Disabled rules
Disabled rules are rules that are marked “disabled” and are not in operation. Disabled rules are also ideal candidates for removal – unless the administrator keeps them for occasional use or for historical record.
Clutter type #4: Time inactive rules
Time inactive rules are rules that were active for a specified time in the past and that time has expired. Surprisingly, a top firewall vendor’s time clause on a rule does not contain a field for the year. Therefore, rules that were active for a specific period will become active again at the same time the following year. Retaining such rules introduces potential security holes.
Clutter type #5: Unnecessary objects
Ideally, a firewall management solution should analyze the following: unattached objects (objects that are not attached to any rule), empty objects (objects that do not contain any IP address or address range), and unused objects (objects whose address ranges didn’t match any packet during a specified time). By removing the unnecessary rules and objects that clutter firewalls, the complexity of the firewall policy is reduced. This improves management, increases performance and removes potential security holes.
By taking action on these five types of firewall clutter, firewall administrators can achieve significant and measurable performance improvements for their complex corporate firewalls, thereby increasing security. By using the right kind of firewall management solution, organizations can replace the manual, inefficient and potentially error-prone task of managing complex firewall, router and VPN configurations. And they can do so while optimizing firewall performance and prioritizing action, based on quantifiable risk exposure.
Avishai Wool is co-founder and Chief Technology Officer of AlgoSec. Prior to co-founding AlgoSec, Avishai co-founded Lumeta Corporation in 2000 and was chief scientist until 2002. At Lumeta, Avishai was responsible for transforming firewall analyzer technology that he helped create while working at Bell Labs into a commercial product. Prior to Bell Labs spinning off the Lumeta Corporation, Avishai was a member of Bell Lab’s technical staff in the secure systems research department. There, Avishai led a team of researchers who created the first research prototypes of the firewall analyzer.
Avishai is also an associate editor of the ACM Transactions on Information and System Security (TISSEC). He has served on the program committee of the leading IEEE and ACM conferences on computer and network security. Avishai has published more than 40 research papers and holds 10 U.S. patents, with many more pending. He is also an associate professor in the School of Electrical Engineering, Tel Aviv University. He holds a Bachelor’s degree (cum laude) in Mathematics and Computer Science from Tel Aviv University, and a Master’s degree and Ph.D. in Computer Science from the Weizmann Institute of Science. He can be reached at [email protected].