Best practices for cleaning up your firewall rule base

After years of use, the rule bases that drive your network firewalls get unwieldy -- clogged with expired, obsolete, duplicative and conflicting policies. For better performance, stronger security and compliance with regulations, you'll want to clean up those rule bases. In this article, technical experts and customers of Tufin Technologies, a firewall management provider, offer their best practices for cleaning your firewall rule base, either manually or with tools that automate the process.

When it comes to mature technology on your network, firewalls are right up there. You certainly have at least one, and possibly many more, and it's likely they have been in place just doing their job for quite a while.

Over time, firewall rule bases tend to become large and complicated. Not long ago, 200 to 300 rules were considered excessive. Now, it's not unusual for firewalls to have many hundreds or even thousands of rules, many of which were rendered obsolete when IT operations added new rules to meet business requests but neglected to remove any old ones.

Firewall audit tools: Features and functions

Analyzing configurations for a few firewalls, let alone hundreds, has grown beyond the capacity of human computation. That's why a new class of products -- several of which were recently tested by Network World -- are quickly rising in popularity to help network administrators catch misconfigurations, avoid conflicting rules, identify vulnerabilities and meet auditing and compliance mandates. In a May 2010 CSO article, Neil Roiter wrote, "Firewall audit tools automate the otherwise all-but-impossible task of analyzing complex and bloated rule sets to verify and demonstrate enterprise access controls and configuration change-management processes."

But even if you only have a couple of firewalls, if they have been in place for a few years, chances are they include rules that are either partially or completely unused or expired, or they overlap or "shadow" each other. The problem gets worse if there have been multiple administrators making changes, or if there are many firewalls in your organization. When the rule base gets big and unwieldy, it starts to affect firewall performance. The rule base is difficult to maintain, and it can conceal genuine security risks.

In addition, regulatory requirements and industry mandates such as PCI DSS require clean up of unused firewall rules and objects. This can play to your advantage, however, because although business efficiency and security may be the ultimate goals, complying with regulatory requirements frequently opens up the budget. The firewall audit market, estimated by Forrester Research at $25 million to $30 million in 2009, is fueled by PCI DSS requirements to review firewall and router configurations every six months. These controls also typically come under scrutiny during internal, partner and other regulatory audits.

Reuven Harrison is the CTO of firewall management vendor Tufin Technologies, one of the vendors whose product was tested in the Network World review. With the help of some of his customers, Harrison put together a list of best practices for cleaning up a firewall (or router) rule base. The practices apply whether or not you use a firewall management tool, but obviously it's easier to perform the tasks and achieve good results if you have a tool to automate these activities.

* Delete fully shadowed rules that are effectively useless.

* Delete expired and unused rules and objects.

* Remove unused connections, including specific source/destination/service routes that are not in use.

* Enforce object naming conventions that make the rule base easy to understand. For example, use a consistent format such as host name_IP for hosts.

* Delete old and unused policies. Check Point and some other vendors allow you to keep multiple rule bases.

* Remove duplicate objects, for example, a service or network host that is defined twice with different names.

* Reduce shadowing as much as possible.

* Break up long rule sections into readable chunks of no more than 20 rules.

* Document rules, objects and policy revisions for future reference.

Enterprises exhaust countless man-hours analyzing firewall and router configurations to produce audit reports, only to realize that they do not have a firm grasp on their network access controls and the change management processes that enable them. The Network Word test lab gave the class of products as a whole a thumbs up. In addition to the core firewall rule base clean up and optimization functions, some of the vendors, including Tufin, support a wide variety of switches and routers, which are prone to the same set of issues as firewalls. The tools also automate the change management process as well as the process for creating, testing, and implementing policy (rule) changes.

While compliance automation may be sufficient budget justification, firewall management tools also offer tangible business and operational benefits that go beyond audit woes.

Learn more about this topic

Review: Firewall operations management

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.