How to clean up a firewall rulebase

Over time, firewall rule bases tend to become large and complicated. They often include rules that are either partially or completely unused, expired or shadowed. The problem gets worse if there have been multiple administrators making changes or if there are many firewalls in your organization. When the rule base gets big and tangled, it starts to affect firewall performance. It is difficult to maintain, and it can conceal genuine security risks. And standards such as PCI-DSS require clean -up of unused rules and objects.With some help from our customers, I’ve put together a list of best practices for cleaning up a firewall (or router) rule base. You can do all of these checks on your own, but if you have a Firewall configuration management product you can run most of them automatically.
1. Delete fully shadowed rules that are effectively useless. If you have SecureTrack, these are detected by the Rule and Object Usage report. 2. Delete expired and unused rules and objects. All of these are detected by the Rule and Object Usage and the Expired Rules reports.
3. Remove unused connections – specific source/destination/service routes that are not in use. You can detect those using the Automatic Policy Generator to analyze traffic patterns.
4. Enforce object naming conventions that make the rule base easy to understand. For example, use a consistent format such as host_name_IP for hosts. This is an option in the SecureTrack Best Practices report.
5. Delete old and unused policies. Check Point and some other vendors allow you to keep multiple rule bases. This is another test in the Best Practices report.
6. Remove duplicate objects, for example, a service or network host that is defined twice with different names. The Best Practices Report can identify these.
7. Reduce shadowing as much as possible. You can detect partially shadowed rules with Policy Analysis.
8. Break up long rule sections into readable chunks of no more than 20 rules. This too can be checked with the Best Practices report.
9. Document rules, objects and policy revisions – for future reference. You can do this with some vendor tools.

Advertisements
  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: