Beach season is officially here! If you want to spend more time this summer paying attention to the barbeque than your firewalls – then it’s time to get your firewalls in shape! A bloated firewall rule set will slow down firewall performance and hide security issues, making it difficult to track down access violations and availability issues. That means more risk that you’ll spend Saturday in the data center instead of manning the grill.
It might be too late to obtain six-pack abs before hitting the beach, but these six simple steps, provided by Skybox Security, will help guarantee you can relax this summer without worrying about your firewall.
Headquartered in San Jose, California, Skybox Security provides powerful risk analytics for cyber security, giving security management and operations the tools they need to eliminate attack vectors and safeguard business data and services. Skybox solutions provide a context-aware view of the network and risks that drives effective vulnerability and threat management, firewall management, and continuous compliance monitoring.
Click through for six tips that will help you get your firewalls in shape for summer, as identified by Skybox Security.
Step #1 – Specify guaranteed service paths
Firewalls are designed to keep malicious traffic from entering our networks, but sometimes this can create roadblocks for legitimate processes that require access to a company’s network. We need to make sure we don’t cut off all access through our firewalls. It’s just as important to continue to let the good traffic through as it is to keep the bad stuff out.
For firewall shape up, identifying guaranteed service paths is your baseline. This will ensure that you maintain access to key business operations and prevent you from potentially jeopardizing critical access when you optimize your rule sets.
Step #2 – Collect syslog data
Data collection is essential for helping to understand exactly what is going on with your network, and it’s just as helpful when you need to slim down your firewall rules.
Collect syslog information from the firewalls, as this data will provide you with the discrete usage information that we will use in the later steps. Syslog collection can be set up to happen automatically at whatever interval you require.
Step #3 – Review configuration policy
Targeting trouble spots in the rulebase is not enough. The tendency is to focus only on the rules enforced, but we need to consider the configuration of the firewall as well. Review the firewall configuration policies to make sure that they are properly configured.
Step #4 – Remove shadowed and redundant rules
Efficiency is always the goal of IT security efforts, so it is important to make sure our firewall rules aren’t duplicating efforts – remove shadowed and redundant rules.
First let’s start with terminology clarification:
- Shadowed rules – broad rule is completely eclipsing a narrowly written rule further down the rule chain.
- Redundant rules – rules that are unnecessarily duplicated.
Shadowed and redundant rules can leave other critical rules unimplemented and impair firewall performance. You can identify shadowed and redundant rules with a logical analysis of the firewall’s access rules.
Step #5 – Identify excessive permission rules
Simplicity is the key. In the case of a firewall, we need to make sure we only allow what is absolutely necessary.
Strive to adhere to the least privileged principle for firewall management. That is, grant only the necessary amount of access required. Review your rule policy to identify rules that might be excessively permissive, making sure to align with industry best practice. For example, you might want to remove rules with ‘any’ in more than one field, or that contain too many ports.
Step #6 – Count rule usage
Back to the firewall log … use the trace data to find rules that are not used, or that are being partially used. These rules may be unnecessary and could be deleted. Or, they could potentially be subject to order of operations and may need to be elevated in the rule set. Rules that are being partially used may have hits, but indicate that they need to be trimmed.
For example, we may find that a rule with ‘any’ in the destination field actually represents only a few addresses and should be replaced with a more narrowly defined rule.
After you have completed these six steps, your firewalls will be in tip-top shape, ready to defend your network from threats so you can defend your beach chairs.