Firewall Spring Cleaning
Posted by Gunter Ollmann on July 01, 2007 at 10:54 PM EDT.

You’d think that after nearly twenty years of firewalls being the frontline defense for enterprises, all the kinks would have been worked out by now.   To be fair, as defenses go, the good old firewall has stood up surprisingly well in the face of increasingly complex networked environments and ever demanding applications.

The kinks I’m talking about have nothing to do with a specific technology implementation or configuration interface, not even how they are being deployed, but rather the way in which they are maintained.  Like a much loved toy relegated to the bottom of the storage box after years of play, firewalls often find themselves similarly tucked away and forgotten about.

Firewall Rulesets

Over the weekend I had the opportunity to help a friend optimize a fairly complex firewall policy.  I remember the last time I helped review this particular enterprise firewall and had to sift through its ruleset – if memory serves me well, it was something like three years ago.  Over that period the ruleset had accumulated an additional couple of hundred rules and had made it a nightmare to maintain (not to mention the degradation of system performance and security).

Not only was maintenance difficult, but the increase in additional rules and their alerts had swamped the event logs to such a degree that any team supposed to monitor them had pretty much given up on the firewall and would never have been able to spot an attack in progress.

Deciphering a big firewall ruleset isn’t precisely a trivial task (but it is tedious).  While there are a handful of free tools out there that do a pretty good job at flagging redundant and superseded rules, none of the tools account for the actual context of the rule.  For example, it takes a human to look at a rule named “temp_payment_srv2” which allows remote access to TCP port 8080 on a host called “betaSRV2”, situated in the “QA” VLAN – and to question whether that host still exists and whether the rule is genuinely required.

By the time I had gone through several rounds of Q&A to find out what a particular host or network segment did and whether it was still needed, the ruleset had shrunk down to about one-third of its starting size – and finally required about one-fifth the number of alerting rules.

Spring Cleaning

Over the years I guess I’ve had to do this kind of thing to maybe thirty or forty large enterprise firewalls – sifting through rulesets, deciphering network topology maps, consolidating rules, and optimizing the security performance of the firewall.  Unfortunately it doesn’t get any easier over time, and the longer someone leaves it between “spring cleans” the tougher it gets.

For those of you contemplating the tuning and optimization of an enterprise firewall, some of the things I’d recommend when tuning rulesets include:

  1. Try to keep the rulesets as simple as you can, and consolidate them wherever possible.
  2. Use informative names for each rule and group.  Stay away from using names like “host3_FTP_allow” which are probably self-evident from just looking at the rule – instead use something like “Finance_Server_Payroll_Uploads”.
  3. Collect all temporary rules together, and try to keep them at the top of the ruleset so they can be found quickly and to also serve as a reminder that their existence should be queried regularly.
  4. If possible, use comments to track when the rule was added and (most importantly for temporary rules) when it should be reviewed or deleted.
  5. Keep an eye out for hosts or network segments that been removed and adjust the network topology map accordingly.
  6. If a host, network address or group functionality changes, make sure that their names are adjusted within the ruleset to reflect the change.
  7. Keep alerting to a minimum.  Factor in the organizations ability to analyze and respond to alerts that are raised.

Whether you prefer the proverb “a pinch of prevention is worth a pound of cure” or “a stitch in time saves nine”, I wholeheartedly recommend that enterprises undertake an annual review of their firewall rulesets.  Think of it as a little bit of spring cleaning and preventative maintenance all rolled into one.

    Copyright 2001-2007 © Gunter Ollmann