Is your firewall a fire hazard?

Ask a firewall administrator to tidy up a rule base and get rid of every unused rule and object; or if you really want to make someone’s life miserable set them the task of finding all shadowed or overlapping rules or objects across your infrastructure and I guarantee that after a few hours they’ll either resign or they’ll be carried away in a straight jacket. However the problem is that the longer you do not “tidy up” your firewall there is a major risk that it catches “fire” and causes untold damage to your organization.

Firewalls are not, as some might suspect, something you install once and set it up and then leave it alone. In most organizations the firewall configurations are changing on a daily basis with continuous requests for services to be added, removed, and modified. And this is not only a complex procedure but also very risky for an organization.

No matter how well qualified your firewall administrator is, or how experienced, it is impossible for anyone to be really on top of every rule in every firewall. For example how many of your staff totally understand your policies related to what services are allowed and who might use them. This is something that even the most dedicated administrator would find impossible to keep track of. Add to this that not all firewall administrators are created equal and you will find that very often the addition of a new service results in major disasters because a change was made without first understanding the implications to other services. The bottom line for many companies is that they are not in control of their firewalls.

So what are some of the things that you should be addressing?

1. Tidy up your rule base – Firewalls are very often managed like in trays. Every few days something new gets added on top of the existing configuration with the result that rule bases increase to an unmanageable size. Very often rules are overlapping and nobody takes the time to check this, or more likely simply do not where to start. As more and more rules are added, the performance of the firewall decreases because the firewall has to process through possibly hundreds of rules to find a match. Very often companies purchase new firewalls because there’s just no room in the “old house”. It’s kind of like running out of disk space on your notebook so you buy a new notebook with a bigger hard disk and copy everything from the old one to the new one. Cleaning the rule base can very often result in a reduction of up to 50% of rules because they are either partial shadowed (overlapping) with other rules or they are simply never used. The bottom line is effective management of your rule base can extend the lifespan of a firewall by many years – in other words there’s no need to buy a new one. Bottom line no unnecessary expenditures!

2. Monitoring any changes – Ask any security officer if they can be sure that firewall administrators adhere to corporate policies when changing firewall configurations and you’ll see tears in their eyes. Faced with increased scrutiny from auditors, many security departments need to provide monthly or quarterly reports on firewall changes. Many have absolutely no mechanism in place to get access to the information. In fact they would not even be able to pinpoint who actually made the changes.

At a time when organizations are reducing IT departments, and in many cases getting rid of contract staff, it is very often the case that contract staff are used to carry out roles such as firewall administration. Additionally enforcing policies can simply not be done manually. Having a policy that a service such as Kazaa is not allowed, and being able to enforce it is a very different proposition. It is essential that policies are enforced and monitored.

3. Downtime – How does your organization translate a business service request to an actual change on the firewall? Would your staff fully understand what exactly needs to be changed and where. How much time is lost and money spent trying to figure out why not only the new service is not working but in fact half the network is off the air! Offline simulation of changes should be standard practice. In fact a workflow that provides an audit trail from service request through to implementation should really be standard practice. It is one thing to approve a change and design and another to ensure that the change has been implemented as designed!

Of course there are many other issues to be considered but at least if you start with these three steps an use tools that are readily available, you’ll discover that things will be a lot tidier.