Accurately identifying and removing access rules for decommissioned applications, without impacting the accessibility of other applications, is a huge issue for many organizations. Oftentimes, unnecessary or overly permissive access rules are left in place due to the fear of making a change that impacts the network or applications.
In this slideshow, AlgoSec, a security policy management company, examines the challenges of decommissioning business applications and offers five tips for improving security without affecting network operations by removing firewall rules that are no longer in use.
Click through for five tips to help your organization to securely decommission business apps, as identified by AlgoSec.
The majority of firewall changes are driven by business applications. Make sure that you can associate all firewall change requests to the appropriate application, so you understand the impact to the application and to the network.
Identify the rules that are only used by the decommissioned application. Armed with this information, you can ensure that you don’t remove rules needed by other applications to function properly. A nice side effect is that you can safely eliminate policy clutter, which can increase the time to prepare for audits, assess the policy for risk, troubleshoot connectivity issues and degrade firewall performance.
By keeping a log of your rule usage patterns, over time you will have visibility of rules that are unused and show no traffic hits. This information can also help you identify rules that are safe to retire.
Leveraging the comment fields within the firewall rule base (if they’re filled out properly) gives you a valuable source of information regarding the rule – its purpose, what it’s tied to perhaps, if it’s only intended to be there for a certain period of time, etc.
Eighty percent of respondents in AlgoSec’s State of Network Security Survey 2013, noted that application-related rule changes resulted in outages or impaired performance. Changing or decommissioning rules is tricky if you don’t have all of the information you need. If you blindly remove firewall rules, more often than not some very unpleasant side effects will occur. Remember that rules and objects can be shared across multiple applications. For example, if you remove one rule that allows traffic through the entire application zone, as a side effect, you will also break the traffic patterns required by a business application that still needs its connectivity.