Firewall Policy Detox Step 3: Review and Refine

Firewall rules don’t get added because a security engineer thinks it would be fun to add a rule.  They usually get added because there was a business demand for new access.  And that request for new access is not always well defined; I need to get access to the new ERP system.  Just you or your team?  To just the front end or the back end too?  What kind of access?  Some of these questions may get answered if time permits, but necessity of access NOW may override the perceived luxury of security.

Too often, business needs trump security prudence.  Rules get added to firewalls that permit too much access.  A rule to that new ERP system may allow access from the user’s network to both the front end and back end with ‘ANY’ service.  The access works; the business is happy; but you know security could be better.

So why not just go back and fix it?  Time of course is one consideration.  When do you ever have extra time to improve something that is already working.  A second consideration is your own job.  Security of the network is important, but job security isn’t bad either.  Although refining the overly permissive rules in a firewall is good for security, blocking business access to a critical resource is detrimental to your own job security.  And that is a likely consequence if a project to refine access in a firewall is undertaken without significant care.

It is possible to secure both: the network and your job.  Refining access is such a risky proposition because it requires such in-depth knowledge of required access.   One solution to the problem is to use a Traffic Flow Analysis from FireMon that will automate the traffic analysis through these rules to identify the actual used traffic patterns.  Once analyzed, it is possible to refine the existing rule, drastically reducing the access permitted.

Of course, the simple determination that a rule is used does not mean it is necessary. A full review of the business need and an acceptance of risk are necessary to fully justify the necessity of any remaining access. Rule review is a complicated effort, and one that should be undertaken. That is a big project and a topic better left to another post.

In the meantime, improve the security of your network without risking your job.