It’s the start of a new year, and the resolution talk is everywhere. Getting into shape – physically or maybe financially – usually lands at the top of people’s lists. But you may want to look at getting your firewalls into shape as well. If you’re the resolution-making type, consider adding these 10 best practices for improving firewall management to your list.
Monitor firewall changes in real time.
While this seems pretty obvious, it is surprising how many organizations do basic change monitoring but little in the way of actual change review. It is important to not only monitor change as prescribed by every regulatory security compliance initiative but to also ensure the change does not introduce unacceptable risk, create unnecessary policy complexity or violate security protocol.
Remove technical mistakes.
Removing technical mistakes is a great start for reducing unnecessary policy complexity that so often creeps into firewall policies over time. Technical mistakes in a firewall policy can be identified as ineffective or incorrect no matter what the firewall is protecting. They are simply rules that will never get used regardless. Two primary examples of technical mistakes are redundant and shadowed hidden rules.
Closely monitor for unused access.
Unused but permitted access causes both excessive complexity and unnecessary risk. Any access through a firewall introduces some risk to the organization; however, permitted access that is not used is simply latent risk waiting to be exploited. Unused access can also sometimes later raise its head as unintended or inadvertent access – something auditors are sure to look for. It’s important to remediate access that is no longer required as early as possible in the policy review process.
Review rule usage for policy optimization.
Firewalls tend to be very sequential in operation. They evaluate each rule in the order it is placed. If a firewall’s policy contains a large number of access rules to evaluate and the most utilized access rules are found at the bottom of the rule list, then unnecessary overhead can occur and lead to degraded performance of the firewall over time. A security management solution such as FireMon Security Manager can automate policy behavioral analysis and quickly aid in policy optimization.
Seek out overly permissive access.
Too often business trumps security, and rules are introduced into a policy that allow much greater access than what is really required. This could be any broad ‘allow’ rule, but we typically find the overly promiscuous ‘ANY’ object being leveraged. Poorly defined or missing business requirements can frequently be linked back to the root cause. Broadly defined rules should be refined to just what is required. The ability to distinguish what is and isn’t being used inside an overly permissive rule can be manually daunting. This is where an automated security management solution can save countless hours.
The benefits of good policy documentation cannot be understated – better compliance reporting, service restoral, reduced complexity, improved policy management to just name a few. Documentation of a rule should happen at the time it is introduced into the policy and should be an ongoing effort when policy rule reviews or recertification takes place. Ideally rule documentation should be placed in the context of the policy itself and remain searchable and reportable.
Technically enforce policy compliance.
Security management solutions can be used to technically enforce a written security compliance policy. Security Manager from FireMon includes a flexible audit engine that can automatically inspect new policy rule additions to ensure they align with acceptable security policy guidelines or compliance initiatives.
Implement a consistent change workflow process.
Change is constant – especially in terms of network access and protection, daily emerging business requirements demand continual adjustment of defenses. A security centric workflow solution that draws on the capabilities of an underlying security management solution can allow an organization to analyze, approve, map and carry out configuration changes with full visibility into resulting conditions on a repeatable consistent basis.
Map the network.
The ability to maintain a visible representation of a complex network greatly aids in the process to secure it. An in-depth understanding of routing paths and security enforcement points along those routes is paramount to ensuring undesirable access is not allowed.
Adding additional access to meet the demands of a constantly changing business landscape will never reduce risk. Having the ability to validate newly requested, or proposed, data access models across the network against known existing vulnerabilities can significantly improve the overall security posture of the network by placing you in position to remediate unacceptable risk before it is allowed.