Before we discuss the “how” aspect of cleaning up the firewall rule base, let’s understand the “why” which scoped out the need to perform clean-up.
- Firewall Performance Impact: The firewall rule base is something that always tends to grow as network admins and security admins keep adjusting them to address firewall policy changes. If left unchecked, your firewall rule base swell to have hundreds or even thousands of rules which will make it harder for the firewall to process – which leads to reduced performance.
- Firewall Configuration Errors: With complex rule sets, there is the possibility of some unused rules and duplicate rules causing config errors. Given the massive size of the rule base, it become more difficult for the administrator to figure the cause of the error and rectify it.
- Security Vulnerability: Unmanaged and unchecked firewall rule base can contain rules and objects that open up a security gap in your network. You may not intend them to be there. But you may never know there are these old and unused rules in your firewall that pose a threat to your network access control.
- Regulatory Compliance Requirements: Compliance policies such as PCI DSS require cleaning up of unused firewall rules and objects. According to PCI DSs 3.0 requirement 1.1.7, firewall and router rule sets have to be reviewed at least every six months.
So, it comes back on the administrator to identify redundant, duplicate, old, unused, and shadowed rules and remove them from the rule base to achieve optimized firewall performance. Let’s discuss how you can do this.
STRUCTURAL REDUNDANCY ANALYSIS
Structural redundancy needs no additional data and is based on identifying rules that are covered by other rules and have the same action (redundant rules), or the opposite action (shadowed rules). In either case, a rule that is redundant or shadowed is a candidate for elimination. You can employ an automated firewall management tool to conduct a structural redundancy analysis to identify redundant rules. Automated tools help you generate a report and even a clean-up script. In addition to the redundant and shadowed rules, you should also find the rules that cause their redundancy, unreferenced objects, time inactive rules, disabled rules, and so on.
LOG USAGE ANALYSIS
Log usage analysis identifies rules and objects that can be eliminated based on zero usage as analyzed using log data. Firewall management tools generally use two techniques to use log data. The first technique uses log data files, the second sets up log data collection directly from the device or management server. Here again, a report and clean-up script are generated.
For both cases, you can run the script to remove the identified rules and objects from the firewall rule base. It’ll be more effective if you conduct the log usage analysis first, and clean up unnecessary rules. The cleaned up rules may be removed from the configuration or disabled. Then the structural cleanup report can be generated to identify additional rules that can be removed.
WHAT RULES TO CLEAN UP?
- Redundant or duplicate rules slow firewall performance because they require the firewall to process more rules in its sequence
- Orphaned or unused rules make rule management more complex, which creates a security risk by opening up a port or VPN tunnel
- Shadowed rules can leave any other critical rule unimplemented
- Conflicting rules may create backdoor entry points
- Unnecessarily boated firewall rules can complicate firewall security audits
- Erroneous or incorrect rules with typographical or specification inaccuracies can cause rules to malfunction