Despite being one of the older security technologies, firewalls are still the most utilized network security control in the enterprise. As Gartner noted in its last Magic Quadrant, “firewalls have long provided the most cost-effective means of protecting vulnerable PCs, servers and infrastructure from external attacks to enable secure business use of the Internet.” One of the many operational challenges in managing firewalls is that business units are constantly requesting new access through the firewall. While most security teams are quick to accommodate a business unit’s request, very rarely do these same teams audit whether a requested access is still required 6 months, a year or even 2 years after the request is processed. Many of these requests are for a temporary access that ends up remaining in the firewall policy for years.
At FireMon, we have seen customer environments where as many as 70% of the rulebase was not being used. These unused rule can significantly degrade the performance of a firewall, and can potentially introduce risk into the environment by allowing protocols or networks access into your enterprise that are not needed. As the NIST guidelines for firewall policy state “generally, firewalls should block all inbound and outbound traffic that has not been expressly permitted by the firewall policy—traffic that is not needed by the organization.” Allowing unused rules to remain in a policy goes against this central tenant and represent an open risk to the organization.
Fortunately, FireMon Security Manager makes it easy to identify unused rules within your firewall policy. Within the list of devices in the Security Manager client, a user can simply right click on any firewall device, select reports and then Unused Rules Report. The pop-up box that appears allows you to specify a date range or previous number of days to show unused rules within that time frame. Users can also select if they would like the report output to be a PDF, Web Page or XML data. Clicking Finish will produce the report, which will show unused rules for both the Security and NAT rules on the device. Security Manager also enables users to setup the Unused Rules Report to run automatically on a daily, weekly,monthly, yearly or custom time frame. This automated report can also be emailed to any number of recipients. A common best practice among many Security Manager users is to have the Unused Rules Report emailed to them the 1st of each quarter showing which rules went unused for the last 90 days, reviewing the access with the business unit that requested the rule (which is identified by Security Manager using the Policy Planner tool) and removing the rule if the business unit has no valid justification for continuing to have the rule within the policy.
By leveraging this simple but powerful report within Security Manager, security managers can ensure that their firewalls are not introducing any unnecessary risk to the organization or negatively impacting the firewalls performance by unnecessarily increasing the size of the rulebase.