firewall analyzer
Home    Contact
Webcast Registration   Go
  Products Services News About Us Resources Blog  
« Athena FirePAC v3.1 has arrived
PCI Compliance and SYN Flood DoS Attacks »

Cleaning Up Redundant and Unused Firewall Rules

Firewall rule bases have an annoying tendency to grow larger over time. It’s easy to add new rules to a firewall. But nobody likes to remove rules from the firewall because they don’t know what the effect of the change will be. As a consequence, firewall rule bases will accumulate a lot of redundant and unused rules.

Redundant rules exist in firewall rule bases because of structural relationships between the rules; one or more rules duplicate the functionality of other rules. As firewalls evaluate the rules in the sequence they are defined in the rule base, rules whose functionality is covered by other preceding rules in the rule base will never be triggered and hence can be removed safely. There can also be redundant rules that exist as special cases preceding more general rules that succeed them. Removing these special cases will not change the firewall functionality; the later general rules allow or deny the same traffic. Identifying the redundant rules requires an understanding what traffic is allowed or denied by each rule. From this, you can identify rules that are redundant. If object groups are used heavily in the rule base, identifying the redundant rules manually will be painful and time consuming because of the large number of expanded combinations that need to be investigated. Tools are good at automating this type of analysis and easily identify these rules. Once identified, cleaning up these rules is very safe. Here at Athena Security, we have found as much as 30%-40% of the rules in large rule bases are structurally redundant and contribute nothing to the functionality of the firewall. Removing these rules will simplify the firewall configuration, making it easier manage and less error-prone to make changes.

On the other hand, identifying unused rules requires a lot more time and effort invested up front. These are the rules that have become stale over a period of time. They were not removed because the business owner could not be identified or the business owner is not sure. Some times you have to prove to the business owner that they are not really using the services allowed in the rule base. So identifying these unused rules requires capturing firewall logs for reasonable time duration. These logs then need to be analyzed to see which rules were never triggered during the period of log capture. Trending might also be required to accurately identify rules that might only be used at certain points in the year. On most firewalls, capturing logs for rules requires enabling of the log option on the rules that are being monitored. This could have an impact on the firewall performance, depending on the traffic being logged. Even though this process is time-consuming, often this is the only way to make the overly permissive rules less specific or to remove unused services from existing rules.

Cleaning up firewall rule bases is an important part of auditing your firewalls. This process can be very complex and time-consuming to attempt by hand. By using tools such as Athena FirePAC that automatically identify redundancies and unused rules, you can complete the process in only a day or two rather than weeks.

Tags: , ,

This entry was posted on Monday, November 16th, 2009 at 5:45 pm and is filed under Athena Insights, Firewall Tips. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

21 Responses to “Cleaning Up Redundant and Unused Firewall Rules”

  1. Inside the Firewall » Blog Archive » A Process for Cleaning Firewall Rulesets Says:
    May 24th, 2010 at 4:27 pm

    [...] an earlier post, we discussed the need for cleaning up and simplifying firewall rulesets.  There are two [...]

  2. Wm Vemura Says:
    March 10th, 2012 at 10:33 am

    The work a mystery good man has been doing is like a vein of water flowing hidden underground, secretly making the floor green.
    Do over is needed. What’s the distance between someone that achieves cause real progress consistently and those who spend their lives and careers merely following? Further.

  3. a591973 Says:
    March 10th, 2012 at 10:58 pm

    I’ve said that least 591973 times. SCK was here

  4. facebook likes Says:
    March 11th, 2012 at 1:17 pm

    I have observed that online education is getting common because attaining your degree online has turned into a popular method for many people. Many people have not really had a chance to attend an established college or university yet seek the elevated earning possibilities and career advancement that a Bachelor Degree grants. Still others might have a college degree in one discipline but would wish to pursue some thing they already have an interest in.

  5. Vinyl Says:
    March 11th, 2012 at 2:47 pm

    A powerful share, I simply given this onto a colleague who was doing a little analysis on this. And he actually purchased me breakfast as a result of I found it for him.. smile. So let me reword that: Thnx for the treat! However yeah Thnkx for spending the time to discuss this, I feel strongly about it and love studying more on this topic. If potential, as you grow to be experience, would you mind updating your weblog with more particulars? It’s highly useful for me. Large thumb up for this blog publish!

  6. Costa Rica Car Rental Says:
    March 14th, 2012 at 11:03 pm

    I’m typically to running a blog and i genuinely recognize your content. The post has really peaks my interest. I am going to bookmark your website and maintain checking for new information.

  7. louis vuitton australia Says:
    March 26th, 2012 at 11:44 pm

    Thanks so much for providing individuals with such a memorable chance to check tips from this blog. It really is so excellent and also packed with a good time for me personally and my office mates to visit your blog on the least 3 times weekly to read through the latest stuff you will have. And lastly, I am just at all times amazed with all the very good techniques served by you. Certain 1 points on this page are in truth the most beneficial we’ve had.

  8. Sharyl Jeschon Says:
    March 28th, 2012 at 11:44 pm

    My family every time say that I am killing my time here at net, however I know I am getting knowledge daily by reading thes nice posts.

  9. 脿 l'int茅rieur de nettoyage Says:
    April 1st, 2012 at 11:53 pm

    I would like to express some appreciation to you for bailing me out of this particular issue. After scouting through the internet and seeing proposals which were not beneficial, I was thinking my life was gone. Being alive without the presence of approaches to the issues you’ve solved by means of your article is a crucial case, and ones that would have in a negative way damaged my career if I had not come across your web blog. Your personal training and kindness in maneuvering almost everything was precious. I’m not sure what I would have done if I hadn’t come upon such a thing like this. I’m able to at this time relish my future. Thank you so much for the skilled and sensible help. I will not hesitate to suggest your blog to any person who would like support on this subject matter.

  10. disposable under sink water filter Says:
    April 28th, 2012 at 8:40 pm

    Dont buy the house buy the neighborhood.

  11. Rachel Humphrey Says:
    April 28th, 2012 at 11:39 pm

    Great article and the video on youtube is good too

  12. CL Pumps Says:
    April 29th, 2012 at 1:20 am

    Easily, the post is really the greatest on this laudable topic. I concur with your conclusions and will thirstily look forward to your future updates. Saying thanks will not just be sufficient, http://www.christianlouboutinukcheap.com/ for the great lucidity in your writing. I will instantly grab your rss feed to stay privy of any updates.

  13. Gucci Handbags on Sale Says:
    April 29th, 2012 at 3:14 am

    I have been through the whole content of this http://www.guccioutlethandbagsonline.com/ blog which is very informative and knowledgeable stuff, I would like to visit again.

  14. Rebbecca Agreste Says:
    April 29th, 2012 at 8:16 am

    Even though I had finished a really respectable third, obtained a private ideal and completed 1st out of my club, I still felt unbelievably dissatisfied and almost incompetent.

  15. whole house iron manganese hydrogen sulfide filter stainless steel Says:
    April 29th, 2012 at 2:34 pm

    Money spent on the mind is never spent in vain.

  16. Goozle Zone Says:
    September 7th, 2012 at 9:46 pm

    Websites we think you should visit…

    we like to honor many other internet sites on the web, even if they aren’t linked to us, by linking to them. Under are some webpages worth checking out…

  17. bankruptcy look up Says:
    October 17th, 2012 at 1:46 am

    Everybody love a lord.

  18. アグ ブーツ Says:
    November 22nd, 2012 at 6:08 pm

    I haven’t checked in here for some time because I thought it was getting boring, but the last few posts are good quality so I guess I will add you back to my daily bloglist. You deserve it friend :)
    アグ ブーツ http://www.bootscheapsalejp.com/

  19. UGG メンズ Says:
    November 22nd, 2012 at 6:09 pm

    I gotta bookmark this site it seems very helpful very helpful
    UGG メンズ http://www.bootsallcheap.com/

  20. free porn Says:
    December 30th, 2012 at 11:17 pm

    What’s up, after reading this remarkable paragraph i am also delighted to share my knowledge here with friends.

  21. Arnoldo Says:
    March 31st, 2013 at 1:45 pm

    Very great post. I simply stumbled upon your blog
    and wanted to say that I have really enjoyed surfing around your blog posts.
    After all I will be subscribing on your rss feed and I hope you write once
    more very soon!

Leave a Reply

Copyright © 2006-2009 Athena Security, Inc. All Rights Reserved. AthenaVerifyTM and Athena FirePACTM are trademarks of Athena Security, Inc.
Privacy Statement

Inside the Firewall is proudly powered by WordPress
Entries (RSS) and Comments (RSS).