Configuration optimization techniques for firewalls can be divided into two groups: general best practices and vendor-specific, model-specific configurations. This article will focus on best practices. The following are 11 best practices for firewall administrators to use to optimize firewalls for better performance and throughput:
Ensure outbound traffic is compliant with policies: Remove bad traffic and clean up the network. Bad traffic includes non-compliant, unauthorized or undesired traffic. Notify server administrators about servers hitting the firewall directly with outbound denied Domain Name System (DNS), NTP, SMTP, HTTP and HTTP Secure (HTTPS) requests, as well as dropped/rejected internal devices. The administrators should then reconfigure the servers not to send this type of unauthorized outbound traffic (thereby taking load off the firewall).
Filter unwanted traffic on the router(s) instead of the firewall: Move the filtering rules for unwanted inbound traffic from the firewall to the edge router(s) to balance the performance and effectiveness of the security policy. To do this, first identify the top inbound dropped requests that are candidates to move upstream to the router as Standard Access Control List (ACL) filters. This can be a time-consuming process, but it is a good method for moving blocks upstream to the router, thus saving firewall CPU and memory.
Then, if you have an internal choke router between your network and firewall, consider moving common outbound traffic blocks to your choke routers. This will free more processing on your firewall.
Remove unused rules and objects: Remove unused rules and objects from the rule bases. While cleaning up an unwieldy rule base might sound like a daunting task, there are a variety of automated tools available that can assist with rule cleanup. These automated tools make firewall policy management a much more manageable endeavor.
Reduce rule base complexity: Reduce rule base complexity and rule overlapping should be minimized. Again, there are tools available that can dramatically reduce the time and headache involved in cleaning up and simplifying the rule base.
Handle broadcast traffic: If the firewall interface is directly connected to the LAN segment, you should create a rule to handle broadcast traffic (bootp, NetBIOS over TCP/IP, etc.) with no logging.
Place the heavily used rules near the top of the rule base: Note that some firewalls (such as Cisco Pix, ASA version 7.0 and above, FWSM 4.0, and certain Juniper Networks models) don't depend on rule order for performance since they use optimized algorithms to match packets.
Avoid DNS objects: Avoid objects requiring DNS lookups.
Firewall interface settings should match switch and router settings: Your firewall interfaces should match your router and/or switch interfaces. If your router or switch is 100M bps half-duplex, your firewall should be 100M bps half-duplex. Your interfaces should be hard set to match; both should most likely be 100M bps full-duplex.
Your router/switch and firewall should both report the same speed and duplex mode. If your switch and firewall are both Gigabit Ethernet, they should both be set to auto-negotiate the speed and duplex. If your Gigabit interfaces do not match between your firewall and switch, you should try replacing the cables and patch panel ports. Gigabit interfaces that are not linking at 1000M bps full-duplex are almost always a sign of other issues.
Separate firewalls from VPNs: Offload VPN traffic and processing.
Offload features from the firewall: Offload Unified Threat Management (UTM) features from the firewall including: antivirus, antispam, intrusion prevention system (IPS), and URL scanning.
Upgrade to the latest software version: Upgrade to the latest software version. As a rule of thumb, newer versions contain performance enhancements but also add new capabilities-so a performance gain is not guaranteed.
(Tufin is exhibiting at Infosecurity Europe is the No. 1 industry event in Europe held on 27th-29th April at Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk )