Recently we have seen a problem in some organizations where a management console was being used to automatically generate firewall rules across multiple firewalls. These consoles tend to generate lots of very simple, primitive rules that specify a single source, destination, and service and that do not use object groups. Over time, the console will generate lots of these primitive rules, resulting in very large rulesets. This problem becomes compounded when the network administrators decide to switch to a different firewall management product. Suddenly they are faced with a large and complex rulebase that is difficult to understand and manage.
The size of the rulebase in each firewall can be significantly reduced by a process, based on rule aggregation, that creates large address and service objects and new replacement rules that use them. This has the potential of providing order of magnitude reductions in the number of rules in the rulebase.
The process consists of initially creating objects on one (source, destination or service) dimension at a time, based on the number of rules that the object covers in that dimension. This step requires powerful analysis capabilities and cannot be done manually or by using simple scripts. The initial step is followed by further iterations to create new replacement rules that contain objects in two dimensions, and then finally in all three dimensions. Athena FirePAC, unlike other firewall analysis products, provides features such as content-based rule search and filtering on source, destination, and service elements to quickly isolate the rules that can be aggregated. FirePAC also has the capability to create scripts that generate the replacement rules at each iterative step to minimize errors.
When multiple firewall configurations are involved, it is also good practice to standardize the objects used across the firewalls for better management. Athena Security has special tools and processes for object standardization and automated generation of all the firewall configurations using the standardized objects.
Check out FirePAC’s features for rule and object cleanup. You can download it for free and have it up and running in minutes.