Firewall rule bases have an annoying tendency to grow larger over time. It’s easy to add new rules to a firewall. But nobody likes to remove rules from the firewall because they don’t know what the effect of the change will be. As a consequence, firewall rule bases will accumulate a lot of redundant and unused rules.

Redundant rules exist in firewall rule bases because of structural relationships between the rules; one or more rules duplicate the functionality of other rules. As firewalls evaluate the rules in the sequence they are defined in the rule base, rules whose functionality is covered by other preceding rules in the rule base will never be triggered and hence can be removed safely. There can also be redundant rules that exist as special cases preceding more general rules that succeed them. Removing these special cases will not change the firewall functionality; the later general rules allow or deny the same traffic. Identifying the redundant rules requires an understanding what traffic is allowed or denied by each rule. From this, you can identify rules that are redundant. If object groups are used heavily in the rule base, identifying the redundant rules manually will be painful and time consuming because of the large number of expanded combinations that need to be investigated. Tools are good at automating this type of analysis and easily identify these rules. Once identified, cleaning up these rules is very safe. Here at Athena Security, we have found as much as 30%-40% of the rules in large rule bases are structurally redundant and contribute nothing to the functionality of the firewall. Removing these rules will simplify the firewall configuration, making it easier manage and less error-prone to make changes.

On the other hand, identifying unused rules requires a lot more time and effort invested up front. These are the rules that have become stale over a period of time. They were not removed because the business owner could not be identified or the business owner is not sure. Some times you have to prove to the business owner that they are not really using the services allowed in the rule base. So identifying these unused rules requires capturing firewall logs for reasonable time duration. These logs then need to be analyzed to see which rules were never triggered during the period of log capture. Trending might also be required to accurately identify rules that might only be used at certain points in the year. On most firewalls, capturing logs for rules requires enabling of the log option on the rules that are being monitored. This could have an impact on the firewall performance, depending on the traffic being logged. Even though this process is time-consuming, often this is the only way to make the overly permissive rules less specific or to remove unused services from existing rules.

Cleaning up firewall rule bases is an important part of auditing your firewalls. This process can be very complex and time-consuming to attempt by hand. By using tools such as Athena FirePAC that automatically identify redundancies and unused rules, you can complete the process in only a day or two rather than weeks.

It’s been a long summer and the development team has been hard at work adding a bunch of new features to Athena FirePAC. We finally released v3.1 at the beginning of September. I thought it’d be worthwhile to point out some of the really cool features available in the new release.

First, as was announced here, Athena Security is now a technology partner with SolarWinds and we have integrated FirePAC with Orion Network Configuration Manager. You can connect to Orion NCM from FirePAC, select the firewall you’re interested in from the device repository, and import their configurations directly into FirePAC. The import is fast, easy, and painless. No worries about logging into the firewall or which commands you need to issue to get the right data. And you can import multiple firewalls in one operation.

Related to the Orion NCM integration is the configuration update feature. Now, after you’ve imported a firewall into FirePAC, you can update the configuration automatically from the same location it was originally imported from. If you imported from the filesystem, the update will be taken from the same files. If you imported from Orion, the update will be taken from there. No need to specify the same source for the configuration files over and over again. Just select the firewall in the FirePAC Firewall Inventory and click the Update operation.

Another big new feature is our enhanced Query capability. There are now three types of queries that allow you to explore the firewall behavior and configurations. With the Data Flow query, you can ask questions like “which critical hosts are exposed to these risky services?” or “what sources are allowed to connect to this server?” or “why is this service not being allowed through the firewall”? It allows you to use Athena’s powerful data flow analysis of firewall behavior to identify specific risks to your network or to understand exactly what the firewall is doing.

With the Rule Search query, you can search for rules that match specific patterns of source, destination, and service parameters across your entire inventory of firewalls. You can even select rules based on matching network or service groups. With the Object Search query, you can find where specific network or service objects are defined and where those objects are used in other object groups. Taken together, Rule Search and Object Search give you a powerful capability to understand the structure of your rulesets and object definitions and their inter-relationships.

Wrapping up the Query facility is the new Saved Queries feature. Now you need only enter the parameters for a given query once. Then you can save it and issue the saved query again later. This can be useful when you have a long list of critical hosts that you need to check exposures to on a regular basis.

All these new features really extend FirePAC as an operational tool for managing firewalls.  You can download an evaluation free for 30 days from our web site.  Check it out!

The new version of Athena FirePAC is now available for download. Try it out free for 30 days. We’ve added a bunch of cool new features in this release. The new user interface shows you a list of all your licensed firewalls and is a breeze to work with. FirePAC now provides a compliance assessment report for the PCI Data Security Standard v1.2. The PCI assessment correlates the policy analysis performed by FirePAC with the PCI requirements for firewalls and presents the results in a single convenient report. We’ve also added a new report that identifies the top offending rules that are responsible for the most security exposures in the firewall configuration.

And lots more too. Check it out!

The schedule for my webcasts in January and the first part of February about Athena FirePAC is up.  Register for any one of the webcasts and learn more about using FirePAC to analyze your firewalls.