Over time, firewall rule bases tend to become large and complicated. They often include rules that are either partially or completely unused, expired or shadowed. The problem gets worse if there have been multiple administrators making changes or if there are many firewalls in your organization.
When the rule base gets big and tangled, it starts to affect firewall performance. It is difficult to maintain, and it can conceal genuine security risks. And standards such as PCI-DSS require clean-up of unused rules and objects.
With some help from our customers, I’ve put together a list of best practices for cleaning up a firewall (or router) rule base. You can do all of these checks on your own, but if you have a Firewall configuration management product you can run most of them automatically.
1. Delete fully shadowed rules that are effectively useless. If you have SecureTrack, these are detected by the Rule and Object Usage report. 2. Delete expired and unused rules and objects. All of these are detected by the Rule and Object Usage and the Expired Rules reports.
3. Remove unused connections – specific source/destination/service routes that are not in use. You can detect those using the Automatic Policy Generator to analyze traffic patterns.
4. Enforce object naming conventions that make the rule base easy to understand. For example, use a consistent format such as host_name_IP for hosts. This is an option in the SecureTrack Best Practices report.
5. Delete old and unused policies. Check Point and some other vendors allow you to keep multiple rule bases. This is another test in the Best Practices report.
6. Remove duplicate objects, for example, a service or network host that is defined twice with different names. The Best Practices Report can identify these.
7. Reduce shadowing as much as possible. You can detect partially shadowed rules with Policy Analysis.
8. Break up long rule sections into readable chunks of no more than 20 rules. This too can be checked with the Best Practices report.
9. Document rules, objects and policy revisions – for future reference. You can do this with some vendor tools.
Some of your most important security checks also help you maintain a clean, compact rule base. Try these:
1. Define a zone-based compliance policy and check it by running an audit report.
2. Identify and reduce insecure rules using the Best Practices report, the Security Risk Report, and the PCI-DSS report if it is relevant for your organization.
3. Optimize performance:
- Remove bad traffic and clean up the network. Notify server administrators about servers hitting the firewall directly with outbound denied DNS/NTP/SMTP/HTTP(S) requests as well as dropped/rejected internal devices. The administrators should then reconfigure the servers not to send this type of unauthorized outbound traffic, thereby taking load off the firewall.
- Filtering unwanted traffic can be spread among firewalls and routers to balance the performance and effectiveness of the security policy:
- Identify the top inbound dropped requests that are candidates to move upstream to the router as ACL filters. This can be time consuming, but it is a good method for moving blocks upstream to the router and saving firewall CPU and memory.
- If you have an internal choke router inside your firewall, also consider moving common outbound traffic blocks to your choke routers, freeing more processing on your firewall.
- Remove unused rules and objects from the rule bases.
- Reduce rule base complexity – rule overlapping should be minimized.
- Create a rule to handle broadcast traffic (bootp, NBT, etc.) with no logging.
- Place the heavily used rules near the top of the rule base. Note that some firewalls (such as Cisco Pix, ASA version 7.0 and above, FWSM 4.0 and certain Juniper Networks models) don’t depend on rule order for performance since they use optimized algorithms to match packets.
- Avoid DNS objects requiring DNS lookup on all traffic.
- Your firewall interfaces should match your switch and/or router interfaces. If your router is half duplex your firewall should be half duplex. If your switch is 100 Mbit your firewall interface should be hard-set to match your switch; both should most likely be hard-set to 100 Mbit full duplex. Your switch and firewall should both report the same speed and duplex mode. If your switch is gigabit, your switch and firewall should both be set to auto-negotiate both speed and duplex. If your gigabit interfaces do not match between your firewall and switch, you should try replacing the cables and patch panel ports. Gigabit interfaces that are not linking at 1000 Mbit full duplex are almost always a sign of other issues.
- Separate firewalls from VPNs to offload VPN traffic and processing.
- Offload UTM features from the firewall: AV, AntiSpam, IPS, URL scanning.
- Upgrade to the latest software version. As a rule of thumb, newer versions contain performance enhancements but also add new capabilities, so a performance gain is not guaranteed.