The rule bases that run your network firewalls get complicated after years of use. It is overflowing with outdated, outdated, duplicate, and contradictory policies. You should periodically review and clear these rule bases for better performance, more robust security, and regulatory compliance.
Firewall rule bases tend to get vast and sophisticated over time. A hundred regulations were once thought to be excessive. However, it is not uncommon today to have hundreds or even thousands of rules on firewalls, many of which are overridden when IT operations add new rules to meet business demands and neglect to remove old rules.
Analyzing configurations for firewalls in most organizations has gone beyond human computing capacity due to the multiplicity and complexity of rules found in firewalls. Therefore, firewall policy analysis processes are automated by opting for firewall rule auditing tools to help network administrators catch misconfigurations, avoid conflicting rules, identify vulnerabilities, and meet audit and compliance requirements.
Even if you only have a few firewalls, they may contain wholly or partially obsolete or expired rules or overlap or overshadow each other if they have been in place for several years.
If you have numerous network administrators or firewalls in your firm, the problem becomes even worse. As the firewall rule base grows and becomes cumbersome, it begins to affect firewall performance. A bloated and uncleaned firewall rule base is difficult to maintain and can hide real security risks.
In addition, regulatory requirements and industry mandates such as PCI DSS require regular cleanup of unused firewall rules and objects. You should review firewall and router configurations every six months according to PCI DSS requirements.
Why Should You Cleanup Your Firewall Rule Base?
Firewall Performance Impact: The firewall policy base always tends to grow as network administrators adjust them to handle firewall policy changes. If the firewall rule base is not cleaned, it swells to have hundreds or even thousands of rules that make it difficult for the firewall to work effectively and cause performance degradation.
Firewall Configuration Errors: Some unneeded rules and duplicate rules are likely to create configuration issues in complex firewall rule sets. Because of the large size of the rule base, finding the problem and correcting it becomes more difficult for the administrator.
Vulnerability: The unmanaged and unsupervised firewall rule base may contain rules and objects that create a vulnerability in your network. You may not want bad rules on your firewall, but you may never know that there are these old and unused rules in your firewall that pose a threat to your network access control.
Regulatory Compliance Requirements: Compliance policies such as PCI DSS require purging unused firewall rules and objects. According to PCI DSS Requirement 1.1.7, firewall and router rule sets must be reviewed at least every six months.
Therefore, to achieve optimized firewall performance, you must identify redundant, duplicate, obsolete, unused, and shadowed rules and remove them from the firewall policy base.
- Redundant or duplicate rules slow firewall performance because they require the firewall to process more rules in turn.
- Redundant or obsolete rules make rule management more complex, creating a security risk by opening a port or VPN tunnel.
- Shadowed rules can override all other critical rules.
- Conflicting rules can create backdoor entry points.
- Unnecessary firewall rules can complicate firewall security controls.
- Incorrect rules that contain typographic or specification errors can cause rules to malfunction.
How to Cleanup Your Firewall Rule Base
The following is a list of best practices for clearing the policy base of a firewall or router. The apps mentioned in the list apply whether you use a firewall management tool or not, but it’s easier to perform tasks and get good results if you have a tool to automate these activities.
Structural Redundancy Analysis
Structural redundancy does not need additional data and relies on identifying rules covered by other rules and having the same action (redundant rules) or the opposite action (shadowed rules). Either way, a redundant or shadowed rule is a candidate for elimination.
In addition to redundant and shadowed rules, you should also find rules that cause redundancy, unreferenced objects, time-inactive rules, disabled rules. You can use an automated firewall management tool to perform a structural redundancy analysis to determine redundancy rules. Automated tools help you generate a report or even a cleanup script.
Log Usage Analysis
Log usage analysis identifies rules and objects that can be eliminated based on zero usage as analyzed using log data. Firewall management tools typically use log data files to use log data, with which you can generate reports and cleanup scripts.
You can run the script to remove defined rules and objects from the firewall rule base. It will be more effective if you examine everyday usage first and remove any needless rules. Cleared rules can be removed or disabled from the configuration. A structural cleaning report can then be generated to identify additional rules that can be removed.
- Delete completely shadowed rules that are effectively useless. Most rules are often entirely or partially shadowed by other policies due to a superset of ports allowed by other policies. These shadowed rules should be carefully defined by sorting rules by service, then evaluating and removing them. Partially shadowed rules can be divided into relevant groups.
- Delete expired and unused rules and objects. Any rule created temporarily and expired is eligible for immediate deletion. Disabled rules can also be reviewed and deleted.
- Identical and unnecessary rules can also be marked for deletion. Comparing hit counts between rules can help identify an unused rule that can be deleted. Similarly, unnecessary objects should be identified and removed.
- Remove unused links, including specific unused source/destination/service paths.
- Apply object naming conventions that make the rule base easy to understand. For example, use a consistent format for hosts, such as hostname_IP.
- Standardize the naming and grouping of objects. Avoid a group within groups unless necessary. Such practices will help to identify redundantly and shadowed rules during a cleaning cycle quickly.
- Delete old and unused policies.
- Remove duplicate objects such as a service or network host defined twice with different names.
- Observe hits in rule statistics to find unneeded rules. Keep an eye on the hit count for at least a month and submit the results to gain approval for cleaning.
- Reduce shading as much as possible.
- Break long rule sections into readable chunks of up to 20 rules.
- A thorough examination of the network and an understanding of the ancillary functions will aid in grouping rules without altering the risk involved.
- Create and keep up-to-date a document containing rules, objects, and policies for future reference. Define, document, and publish a firewall management policy that includes various details such as grouping of functionality-based rules (Administration, VPN, Business Services), location of rules, log policies, naming conventions, services allowed across regions.
- Identify and implement a way to document the details of the required access. If a Change Control Process is already in use, more information must be collected, such as associated businesses, associated applications, names, and contact details of responsible persons. Also, document the Change control number below the firewall rule description.
- Review your security rule base and policies quarterly. Like any other remediation process, this is a continuous cycle that must be monitored by audits and preferably repeated quarterly to maintain and improve the firewall rule base.
Firewall Rule Base Cleaning Recommendations
Firewall rule bases and policies are a set of rules that determine what can and cannot pass through the firewall. Rule bases tend to become very large and complex over time if not reviewed periodically.
They often contain partially or wholly obsolete, expired, or shadowed rules. The problem becomes worse if numerous administrators make adjustments or if your company has a large number of firewalls.
As the firewall rule base grows and mixes, it begins to affect firewall performance. It is difficult to maintain and can hide real security risks. Also, standards such as PCI-DSS require cleaning up unused firewall rules and objects.
One of the main functions of firewalls is access control. Because all access is inherently risky, controlling access can help prevent that risk and provide an opportunity to assess risk against business needs.
However, firewall rule complexity reduces the benefit of access control by limiting visibility into the access you grant, eroding your ability to evaluate the business rationale for that access, and increasing the cost associated with security management.
Firewall policy complexity results in unnecessary, outdated, unenforceable, or conflicting rules that allow excessive permissive access, erroneously deny access, introduce unnecessary risk, and degrade network performance.
It requires short-term actions to improve the current state of the firewall and long-term efforts to prevent problems from recurring in the future.
Thousands of rules and objects that have gathered in your firewalls over the years and are now out of date may cause a slew of issues. However, removing rules is not easy as it can cause application interruptions.
Inflated rule sets not only add complexity to day-to-day tasks such as change management, troubleshooting, and auditing, but they can also affect the performance of your firewall devices, resulting in reduced hardware lifespan.
1. Remove technical errors in the rules
Technical errors in firewall policies are rules that can be described as ineffective or inaccurate or that do not serve a business purpose. The primary example of a technical error is a hidden rule with unnecessary and shadowed rules.
Both are rules, or parts of rules, that the firewall will never evaluate because a previous rule would match incoming traffic. The difference is that a redundant rule performs the same action as the rule that hides it, whereas a shadowed rule performs the reverse.
Removing shadowed rules is a low-risk change because after they are removed, there is no change in firewall behavior. In other words, hidden rules would, by definition, never be evaluated by the firewall, so removing them would not affect policy behavior.
However, setting secret rules is no trivial task. The size and complexity of a typical enterprise firewall make it very difficult to analyze the firewall rule base manually. Many organizations turn to automated firewall policy analysis tools to significantly assist in accurate and complete identification and turn this painstaking process into a simple one.
2. Remove unused accesses
Unused access rules inflate a firewall policy, which causes confusion and errors. Analyze and correlate the active firewall policy with the network traffic model to determine rule usage.
Analyzing network traffic over a long period will definitively show which rules are used and which are not. Identifying and removing unused rules reduces policy complexity, improves overall security posture, and aids compliance initiatives.
3. Review rules and refine access
Firewall rule review is an absolute must to ensure firewall policies effectively control access. Eliminating errors and removing unused accesses is an excellent step in firewall cleanup.
However, simply stating that a rule is used does not mean it is necessary. Firewall rules must be justified against a defined business need, and the need for that rule outweighs the risk it presents. If not, access should be refined.
Start with rules that use “ANY,” as these are probably the rules that pose the most significant risk. Broadly defined rules are often created with excessive access due to poorly defined business requirements. Refining broad access rules to include only necessary access can significantly impact firewall management and security.
4. Monitor the policy constantly
Maintaining an effective, efficient and accurate firewall policy is an ongoing process that requires real-time policy monitoring and change control. The goal is to receive timely notification when a security policy violation occurs so you can act quickly to correct course. Also, firewall rule cleanup should be a prescriptive process that is performed frequently.