The Best of Firewall Management – Removing Unused Rules

In this series, FireMon leadership shares their favorite features of the latest release of our firewall management solution, Security Manager. Click Here to subscribe to the blog.

Rule Usage analysis to identify unused rules is a core feature first invented by FireMon and now central to our market space. Beyond “cleaning up” the mess, there are real security benefits to removing those unused rules.

Unused rules are like leaving the keys in a running car that wastes gas and exposes unnecessary risk of someone stealing the car. Unused firewall rules bloat the policy, causing it to run slower and expose the network to unneeded risk of an attacker exploiting the open access.

Many users who install FireMon Security Manager find thousands of rule issues that need to be addressed. It can be pretty overwhelming. We’ve published some good webinars discussing what we consider a good strategy for rule review and removal:

  • Start with the technical mistakes (hidden and shadowed rules).
  • Move to business issues (unused rules and objects, compliance issues).
  • Work to improve the remaining rules by tightening them to only the access that is needed (TFA).

Security Manager Version 8 has created a new way to evaluate these rules by combining usage data with assessment data. The theory is pretty simple: if you have a rule that is not being used (no business purpose) AND it has significant security or compliance violations, then it is a rule that is both unnecessary and exposes the organization to a lot of risk. The result is a prioritized list of rules that should be reviewed for immediate removal.

RemoveRulesPriorityTake a look at the chart on the left and the table at the bottom of the screenshot taken from our Policy Dashboard. The large bar on the left in the chart shows all the unused rules. The small red block at the top are the rules with Critical Control failures that are also unused. A user can click on that bar chart to be taken to the Rules List page listing all the rules that are unused and have Critical Control Failures.

The table shows the top 20 unused rules, sorted by those with the highest cumulative severity (a score generated by combining all the severities of controls this rule has failed). Both of these represent rules that should be at the top of an administrator’s list to remediate immediately.

Want to see it for yourself? Contact our sales team for a web demo or request a free evaluation copy.