The Firewall Whisperer

Let’s face it, sometimes firewalls just don’t behave. It’s not for a lack of trying…no, quite the opposite, we” tell” it what to do over and over, and many times in hundreds of different ways through various commands otherwise known as rules. Over time, these rules go unheard, and unused, and the result is unpredictable, sometimes unruly behavior. Alas, your young pup becomes a lethargic beast whose legs quiver under the strain of keeping the rest of its body mobile and willing to move.

Enter the Firewall Whisperer. Equal parts drill sergeant and psychologist, it is time to make some changes, some subtle, others drastic, all effective – FireMon.

Analogies aside, unused rules are a serious problem and these days, top of mind for most firewall administrators given that nearly 40% of all rules on a firewall go unused, according to several published reports. It hasn’t always been this way: in fact, for several years, we [Secure Passage] evangelized the problem and our “Rule Usage Analysis” feature as a sales organization only to be met with a, “…cool, but could we hear more about your change control and auditing features?” (In our prospects defense, the year was 2004 and FireMon 2.1 with Rule Usage Analysis had just been introduced.) Of course, we were all too happy to show off those well established features [change control and auditing] whose entre into the security space was made public 3 years prior in 2001, to solve the problem of tracking and auditing changes made to the firewall in a market-defining way that was both graphical and historical collected in real-time.

Slowly but surely however, the problem of unused rules garnered more attention from security departments as firewall policies became more complex, and audit requirements demanded an explanation for the presence of every rule. The dilemma of identifying rules that no longer fulfill a business requirement is not unique to any single firewall vendor; each are guilty for omitting a way to fix the problem outside of an error-prone, manual, process of deciphering firewall logs and understanding policies, some, whose rules often number in the hundreds. (Good luck with that.)

Thankfully, there is a safe and effective solution to the problem: FireMon’s Firewall Policy Change Analysis suite. This feature works across all supported firewalls, including the industry’s big 3: Check Point, Cisco and Juniper. Using unobtrusive, real-time methods, FireMon identifies unused rules (NAT and security), objects, and services across both physical and virtual enforcement points. Additionally, the reporting ranks the use of all rules which identifies a secondary problem (though no less important) of used rules buried too far down the stack of rules processed by the firewall. Using this information, a firewall administrator now has the tools to make intelligent re-ordering decisions about the critical 10% of rules at the top of a policy to dramatically improve the performance of device; while also exorcising unused rules, objects and services of every firewall inside of the environment.

Perhaps it goes without saying, but using some of this new-found information, security can go back to the line of business and discuss the removal of long ago requested access and queue suspect rules for disablement and deletion. Overtime, this process fosters a working relationship between IT and the business which improves the security posture of the organization while improving its availability and operational efficiency in the process. Of course, this is only one part of the solution. In optimizing and maintaining a clean and efficient firewall policy, it is important to focus on 4 key areas: create and maintain an on-going rule analysis and clean-up process, understand what you have (what does each rule do?) , sort rules in the policy based on usage, and improve the rule creation process moving forward.

This is only the start. Like any good training program, the process (and it is that – a process) takes time, buy-in, and patience. We’ve looked briefly at the first aspect of the solution, next we’ll consider the other 3 in this holistic approach to reigning in the firewall, thanks to the Firewall Whisperer.