Security spring cleaning: Tidying up messy firewall rules to reduce complexity

Get a copy of the upcoming book "Secure Operations Technology"

security spring cleaningMost security teams are waging a daily battle against complex IT infrastructures, advanced malware and a severe skills shortage – a trifecta that has forced them to tackle select “priorities,” while letting other important initiatives fall by the wayside.

One such task that usually falls to the bottom of the security “to-do” list is firewall rule cleanup. With so many things to do (managing next-gen architectures and combating sophisticated cyber criminals, for example) and so few resources available to help, it’s easy to understand how security teams have come to view firewall management as a trivial chore. But, it’s actually a critical one.

Firewalls are implemented to control access. At the core of each firewall is a policy made up of rules designed to enforce what access is permitted. Although there is risk associated with any access, by limiting permitted access, organizations can strengthen their risk profile. However, poor firewall management can have the opposite effect.

With the number of firewall rules growing exponentially (think tens of thousands in some enterprises) – thanks to continuously evolving threats, compliance regulations, cloud computing and advanced technologies (e.g. microsegmentation and software-defined networking – poor firewall hygiene can quickly lead to a chaotic mess of rules that are outdated, unused, redundant or out-of-compliance.

Firewall policy mistakes are also common due to two main issues: associated complexity and excessive access. Not surprisingly, there is a strong correlation between the complexity of a firewall and the number of mistakes in the associated policy. And excessive access is extremely common (and most often unintentional) for three reasons:

Ineffective change management – Changes are made without considering the risk to the business or how best to implement them based on current policies.

Poor definition of business requirements – Change requests often lack context around the business objectives behind the request. Well-intentioned security administrators do their best to limit access based on the information they have, but often end up creating broad access rules (“ANY”) that meet business demand for timely access, but lack security hygiene.

Stagnation – Most organizations have well-established methods and procedures for adding rules to a firewall, but very few have strategies for removing rules that no longer serve a legitimate business purpose – causing the number of unused rules to skyrocket. In fact, we’ve found that, in a typical organization, 40-50% of firewall rules aren’t being used.

Add this all up, and you’re left with firewall policies that are not only ineffective at controlling access, but also result in misconfigurations, performance degradation, unnecessary risk and compliance gaps – all of which drive up operational costs, as firewall admins try to manage complex firewalls and correct policy mistakes.

We’re now in the full bloom of spring, and there’s no better time to prioritize firewall rule cleanup. Here are four recommendations to help you get rid of the security control clutter, reduce complexity and improve firewall rule management, while strengthening your security posture in the process:

1. Remove technical mistakes in rules

Technical mistakes in firewall policies are rules that can be identified as ineffective or incorrect, or those that do not serve a business purpose. A primary example of a technical mistake is a hidden rule, which includes redundant and shadowed rules. Both are rules (or portions of rules) that the firewall will never evaluate because a prior rule will match the incoming traffic. The difference between the two is that a redundant rule has the same action as the rule that hides it, and a shadowed rule has an opposite action.

Removing hidden rules is a very low-risk change, since after removal there is no change in firewall behavior. In other words, hidden rules, by definition, were never going to be evaluated by the firewall, so removing them will have no effect on the policy behavior. However, identifying hidden rules is no trivial task. The sheer size and complexity of a typical enterprise firewall makes it too difficult to perform manually, so many organizations turn to automated analysis, which can greatly help with accurate and complete identification and transform this painstaking process into a simple one.

2. Remove unused access

Unused access rules bloat a firewall policy causing confusion and mistakes. To determine rule usage, analyze and correlate the active policy against the network traffic pattern. Doing this over a sustained period will show definitively which rules are used and which are not. The identification and removal of unused rules not only reduces policy complexity, but also increases overall security posture and aids in compliance initiatives.

3. Review rules and refine access

Rule review is an absolute necessity to ensure firewall policies are effectively controlling access. Removing mistakes is a great first step. Removing unused access is a great next step. But, the simple determination that a rule is used does not mean it’s necessary. Rules should be justified against a defined business requirement – and the need for that rule must outweigh the risk it presents. If it doesn’t, access should be refined.

Start with rules that employ the use of “ANY,” as these likely present the greatest risk. As we discussed, these rules are typically created with excessive access due to poorly defined business requirements. Refining broad access rules to include only necessary access can have a significant impact on firewall management – and security.

4. Continuously monitor policy

Maintaining an effective, efficient and correct firewall policy is an ongoing process that requires real-time policy monitoring and change auditing. The goal is to receive timely notifications when a violation of a security policy has occurred, so you can act quickly to course-correct. Additionally, firewall rule cleanup should be a prescriptive process that is performed on a frequent basis.

We’ve been hearing about the “end of the firewall” for years now, but the truth is, with the ever-evolving cybersecurity landscape and companies’ increasing adoption of next-gen architectures, firewalls are more critical today than ever before. Organizations can no longer afford to sweep firewall rule cleanup under the rug or ignore the many advantages proper firewall management provides. Enhanced firewall performance, reduced risk of error when making policy and configuration changes, increased security posture, stronger compliance with defined policies and industry regulations, and cost savings are all tangible benefits at your fingertips – you just need to eliminate the clutter and tidy up your firewall policies to reap the hidden reward.