Why bother optimising firewall rules?

Steve Martinez: As networks gain in complexity, so the reporting task grows

Sometimes firewalls don’t behave. Despite being given instructions on what to do via commands known as rules, over time too many of these rules can result in some being left too far down the list for them to be processed.

According to published reports, nearly 40 per cent of firewall rules remain unused. This can result in unpredictable firewall behaviour.

The problem with this is that regulatory audit requirements demand that there is an explanation attached to every firewall rule on the network.

As networks gain in complexity, so the reporting task grows. As the regulatory authorities tighten their guard, the fines increase, so the right to operate in a regulated market can be impeded.

These audit requirements include the Payment Card Industry Data Security Standard, Sarbanes-Oxley section 404, based on the Committee of Sponsoring Organisations of the Treadway Commission and also the Control Objectives for Information and Related Technology domains.

The issue of identifying rules that no longer fulfil a business requirement is not unique to any single firewall vendor. However, firewall management tools have started to address the issue using unobtrusive, real-time methods to identify unused rules and those that are buried too far down the stack to be processed by the firewall.

This information helps the administrator re-order the rules to ensure the critical 10 per cent are at the top of the policy to improve the performance of a device, while also exorcising unused rules, objects and services of all the firewalls inside the environment.

By identifying rules that fail to match any traffic requests over time, the unwanted and unjustified rules can easily be pulled out of the policy.

In addition, by knowing how often rules are being processed by the firewall, the administrator has the knowledge to re-order the policy in the most efficient way possible, by moving the most often hit rules to the top 10 per cent of the stack.

Cleaning up, or removing unused or hidden rules and objects, is therefore as simple as running a report rather than the lengthy and error-prone process of doing the task manually.

When optimising and maintaining a clean and efficient firewall policy, it is important to focus on four key areas: creating and maintaining an ongoing rule analysis and clean-up process, understanding what each rule does, sorting rules based on usage and improving the rule creation process.

This is only the start. Like any good training programme, the process takes time, buy-in and patience.

Steve Martinez is director (international and strategic) at Secure Passage