In an earlier post, we discussed the need for cleaning up and simplifying firewall rulesets.  There are two techniques for determining whether a rule can be removed from a rule base: one based on rule redundancy and the other on rule usage.

There can be an overlap between the two techniques in the sense that a rule can be both redundant and also have zero usage. Despite that, it is often the case that the majority of rules will fall into one category or the other. To get the maximum benefit of keeping your rulebase efficient and simple, it makes sense to maximize rule removal by trying both approaches.  Automated tools, such as Athena FirePAC, can apply both approaches. The question then is how to proceed and in what order.  The straightforward technique would be to use a two-pass approach: remove, say, zero usage rules using log data in the first pass, create the new configuration with rules removed, and then in the second pass run the modified configuration through the tool again to identify redundant rules. This two-step approach is untenable in most situations, since we need access to the production device (or even a laboratory device) twice. If there is a formal validation step as part of the rule cleanup process, the validation step will also have to be repeated twice again. If there are a large number of firewalls to be cleaned up, this two-step process can add extra months to the schedule and thousands of dollars in cost.

Clearly the answer is a one-step process that incorporates both techniques. In one such process, the firewall configuration is run through the rule cleanup tool at most twice — once to identify redundant rules, and the other to identify zero usage rules. It does not matter in which order the rules are identified, because both sets of rules are then combined in the following manner to determine the rules that will actually be removed: All rules with zero usage that are identified are marked for removal. The remaining rules that can potentially be removed are all redundant rules. Of these, identify rules that are redundant and have their source rules (i.e. the rules that make it redundant) above it in the rulebase. All such redundant rules can be marked for removal. The remaining redundant rules have their source rules below them in the rule base. Of these, mark a rule for removal only if none of its source rules have zero usage, and any rule options associated with the redundant rule can be ignored. You may wish to manually review the rules with zero usage prior to removal to ensure that there is no business case to retain them.

To ensure that the rules are removed correctly, it is advisable to use a script that will remove the rules one at a time, in an automated fashion.

Athena FirePAC automates the cleanup process from start to finish, by first identifying all rules based on redundancy and usage that can be removed without impacting the traffic allowed through the firewall.  It then generates the scripts so that rule removal is straightforward and consistent.  To learn more, download a free trial of FirePAC.

Tags: Athena FirePAC, redundant rules, rule cleanup

This entry was posted on Monday, May 24th, 2010 at 4:27 pm and is filed under Athena Insights, Company Announcements, Firewall Tips, Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.