There's no denying that IT budgets are currently being squeezed harder than ever before, so "sweating your existing assets" and "doing more with less" have become increasingly important.
One simple way of doing more with less is to take a look at your firewall rule base. Tuning and updating your firewall rules is one of the most cost-effective ways to improve your overall system's performance. Done effectively, in fact, it can give you as much as a 30% performance improvement.
Reviewing and cleansing firewall rules is often overlooked or ignored, particularly as a regular maintenance activity. After implementing the firewall, most organisations continuously add and amend rules. Few, however, check if they're still relevant, appropriate and required on a regular basis.
IT departments can be unwilling to review or amend rules, fearing that deleting or amending a rule may leave them vulnerable to security threats. Often, the rule base is only cleansed as part of an upgrade procedure or because the rule base has become so unmanageable that it is causing problems.
A typical firewall can function very effectively with a rule base of around 100 lines, yet it's not uncommon for them to have at least 500 rules, and in some cases, many thousands. Over time, the firewall rule base will evolve into an extremely bulky linear list, which far from assisting, can often clog and slow down a system's performance and create a bottleneck on the network. It's not difficult to understand the loss in performance if every item passing through a firewall has to be checked against a lengthy set of rules, many of which are outdated, have been superseded or are not relevant.
Buying a new firewall
Given the complexity and age of many firewall rule bases, it's understandable that IT departments have real concerns that deleting or disabling specific rules may create more problems than it solves. But this needn't be as complicated or as difficult as it sounds: There are now rule-base analysis packages available from several vendors, including Tufin Software Technologies Ltd., Algosec Inc., Secure Passage LLC and Skybox Security Inc. These products can help you manage rule sets and will better reveal the consequences of changing or deleting individual rules. This kind of software can be particularly useful when upgrading to a new firewall, as it allows users to cleanse their rule base and apply the relevant rules to their new firewall -- ensuring that it works at optimum efficiency.
When to update and reorder firewall rules
If a new firewall isn't an option, there are several other ways in which reviewing your rule base can improve your system's performance. Bringing the most important rules to the top of the list will significantly improve response times.
To illustrate the point, firewall packages analyse your firewall log files to determine which rules get 'hit' the most, showing a hit percentage figure next to each of your firewall rules. For instance, if rule number 20 has 0% next to it, you can remove or disable it, safe in the knowledge that the rule isn't being used; hence you'll be increasing security and performance at the same time.
On the other hand, if rule 500 is being hit 75% of the time, while rule 1 is being hit 5% of the time, it makes sense to reorder these. A firewall processes rules in a top-down approach and exits when it finds a match. Therefore, if 75% of the time your firewall product has to go through 499 rules before finding a match, it is extremely and unnecessarily process-intensive.
It is worth noting that when building rule bases, to ensure they don't become too cumbersome, or for that matter, redundant, start with a deny command and then explicitly allow only what is needed.
Problems can arise over time when people add more and more rules but fail to remove ones that are no longer needed. Equally, if a firewall is left unchanged, it may become insecure if old services and servers are replaced with new systems, and the firewall rules for the previous systems are not removed from the rule base.
It is worth mentioning that Tufin has just released a feature called automatic policy generation (APG), which analyses firewall rule bases and comes up with an 'optimum' rule base as a result of the traffic it sees. This is quite unique as there isn't another vendor that can offer such technology at this point in time.
Firewall rule bases: A key to compliance
There's another key reason to review firewalls rules more frequently: audit and compliance. Companies looking to operate in certain industries, particularly retailing, financial services and healthcare, are increasingly being asked to provide assurances -- and are audited accordingly -- that they operate within the remit of industry guidelines and legislation such as the Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes Oxley. An up-to-date, regularly maintained firewall rule base is an intrinsic part of providing the necessary audit trail and compliance information.
Reviewing and updating firewall rules may not be the most exciting activity, but given the tools now available and the obvious upside for performance, it may be one of the most effective ways to achieve that much heralded goal of doing more with less.
About the author:
Nick Garlick is managing director of Nebulas Security Solutions Group. Send Nick your comments and security questions.