We've now crossed over the halfway point in our series on simplifying firewall audits and ensuring continuous compliance and that brings us to a major housekeeping project that admitedly is not fun, but necessary. Without going through your rule base, which depending on how it's been managed over the years can be VERY ugly, the audit pain will be significant and it will never get better in future audits unless you address this.
Quickly, let's review the first three steps to making your life easier when it comes to audits and ensuring compliance:
And now, let's dig into step 4!
Step 4: Cleanup and Optimize Your Rule Base
In general, if you don't maintain and take care of something, it will get messy. Firewalls are no different. Over time, firewall policies have more and more policies added, removed and changed, and oftentimes with little documentation for the what, why, who, etc.
Removing firewall clutter and optimizing your rule base can greatly improve IT productivity and firewall performance. Additionally, optimizing firewall rules can significantly reduce a lot of unnecessary overhead in the audit process. Here's a top ten list (in no particular order) of items for you to manage (Again, as with an audit, this can't be set and forget… once you've optimized your rule set, you want to maintain that optimized policy over time):
- Delete covered rules that are effectively useless.
- Delete or disable expired and unused rules and objects.
- Identify disabled, time inactive and unused rules which are candidates for removal.
- Evaluate the order of firewall rules for effectiveness/performance.
- Remove unused connections, including specific source/destination/service routes that are not in use.
- Detect similar rules that can be consolidated into a single rule.
- Identify overly permissive rules by analyzing the actual policy usage against the firewall logs. Tune these rules as appropriate for policy and actual real use scenarios. For example, “ANY” might be used for the source address in several rules when actual traffic only originates from a handful of IP addresses.
- Review other security devices such as VPNs. Analyze VPN parameters to identify unused users, unattached users, expired users, users about to expire, unused groups, unattached groups and expired groups.
- Enforce object naming conventions.
- Document rules, objects and policy revisions for future reference.
Documentation is an obvious one (going back to the first blog in this series in terms of gathering info, but if you're not keeping firewall policies clean on an ongoing basis, you are setting yourself up for a lot more of digging through policies, trying to understand what is really going on, etc. This isn't just bad for audits, it hurts your visibility of what's going on in your network. In part 5 of this blog series, we'll examine risk assessment and remediation. Stay tuned!