Firewall rule bases have an annoying tendency to grow larger over time. It’s easy to add new rules to a firewall. But nobody likes to remove rules from the firewall because they don’t know what the effect of the change will be. As a consequence, firewall rule bases will accumulate a lot of redundant and unused rules.

Redundant rules exist in firewall rule bases because of structural relationships between the rules; one or more rules duplicate the functionality of other rules. As firewalls evaluate the rules in the sequence they are defined in the rule base, rules whose functionality is covered by other preceding rules in the rule base will never be triggered and hence can be removed safely. There can also be redundant rules that exist as special cases preceding more general rules that succeed them. Removing these special cases will not change the firewall functionality; the later general rules allow or deny the same traffic. Identifying the redundant rules requires an understanding what traffic is allowed or denied by each rule. From this, you can identify rules that are redundant. If object groups are used heavily in the rule base, identifying the redundant rules manually will be painful and time consuming because of the large number of expanded combinations that need to be investigated. Tools are good at automating this type of analysis and easily identify these rules. Once identified, cleaning up these rules is very safe. Here at Athena Security, we have found as much as 30%-40% of the rules in large rule bases are structurally redundant and contribute nothing to the functionality of the firewall. Removing these rules will simplify the firewall configuration, making it easier manage and less error-prone to make changes.

On the other hand, identifying unused rules requires a lot more time and effort invested up front. These are the rules that have become stale over a period of time. They were not removed because the business owner could not be identified or the business owner is not sure. Some times you have to prove to the business owner that they are not really using the services allowed in the rule base. So identifying these unused rules requires capturing firewall logs for reasonable time duration. These logs then need to be analyzed to see which rules were never triggered during the period of log capture. Trending might also be required to accurately identify rules that might only be used at certain points in the year. On most firewalls, capturing logs for rules requires enabling of the log option on the rules that are being monitored. This could have an impact on the firewall performance, depending on the traffic being logged. Even though this process is time-consuming, often this is the only way to make the overly permissive rules less specific or to remove unused services from existing rules.

Cleaning up firewall rule bases is an important part of auditing your firewalls. This process can be very complex and time-consuming to attempt by hand. By using tools such as Athena FirePAC that automatically identify redundancies and unused rules, you can complete the process in only a day or two rather than weeks.

Tags: Athena FirePAC, redunant rules, rule cleanup

This entry was posted on Monday, November 16th, 2009 at 5:45 pm and is filed under Athena Insights, Firewall Tips. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.