Rule and Object Usage
If the security policies, rules, objects and configurations of your firewalls, routers,
and switches are not managed at all times, they will become too complex, create
security gaps, and degrade performance.
Architected to meet the requirements of any organization, FireMon® Security Manager's granular rule
and object analysis ensures that the right access over the right protocol is in
place to support business functionality. Security Manager's Rule Usage Report automatically
identifies how rules and objects are being used so you can easily determine what
changes need to be made to reduce policy complexity.
Unused Rule Analysis
Policy cleanup activities typically center on removing access that is no longer
necessary. One data point that administrators can use to gauge the necessity of
a rule is to analyze who, when, and how frequently that access is in use.
The most glaring example of unnecessary access are those entire security rules that
are no longer in use. Security Manager pinpoints these items by monitoring traffic logs from
firewalls, allowing administrators to track security rules uniquely over long periods
of time and determine if they are in use.
Unused Object Analysis
Firewall vendors handle network and service objects differently. Some provide a
robust editor for placing many objects in a rule and others rely on group objects
to represent a singe identity. Some vendors require that objects have a saved definition
before being placed in a rule while others allow standard network and service definition
directly in the rule. Regardless of the management approach, often times network
and service objects become unnecessary inside of rules as well as unnecessary in
the security policy.
Objects inside security rules that have become unused allow those rules to pass
more traffic than is required. Security Manager's Rule Usage Analysis Report shows
the hit count of security rules and the objects inside the rules. Additionally,
it has a dedicated section for "Rules with Unused Objects," giving administrators
the data necessary to reduce the scope of rules that are in use.
More globally, sometimes objects are not hit inside any rule or policy on the firewall.
In that case, Security Manager's global Object Usage Report details the usage of network
and service objects regardless of their position in a policy.
For even more granular analysis of the data flowing through a rule, see the Traffic
Flow Analysis section.
Traffic Flow Analysis
Reducing the scope of security rules is a common task in most enterprise networks
today. Whether two networks are being merged quickly and the firewall cannot interrupt
business operations, or compliance dictates strict accounting of access, rules can
often times be reduced in scope or divided into more manageable rules once the traffic
that uses them is better understood.
Security Manager's innovative Traffic Flow Analysis Report allows administrators to
focus in on the traffic flowing through a security rule. Using a patent-pending
algorithm it combines common access requests and presents detailed, yet actionable
traffic flows (source, destination, and service) that are in use. This allows for
either refinement of the access in new rules or the removal of unnecessary objects.
One of the most common compliance goals for enterprises today is to understand when
the Any object is appropriate in rules that permit traffic. Using Traffic Flow Analysis,
users can either justify that the access is broad enough to use Any or reduce the
rule definition to remove Any.
Rule Reordering and Optimization
Firewall performance is an ongoing issue for most organizations. Knowing the utilization
of your rules is one of the critical components of optimizing the firewall performance
and it gives administrators the ability to reorder them such that highly utilized
access is placed as high in the rule set as possible.
Using Security Manager's Rule Usage Analysis Report, the most utilized rules are shown
at the top of the report, giving administrators the information needed to move rules.
Additionally, Security Manager's analysis engine is able to analyze rule order and alert
users when highly utilitzed rules have dropped too low in the rule set.