Although one of the older security controls, firewalls are still the most used preventive control in use today. One of the many challenges faced is the constant stream of requests to provide additional access through the firewall. While new access is often added, it is quite common to find that access remains in place for months or even years after it’s no longer needed. In fact, statistics show that on the average firewall as much as 70% of the firewall rules in place are no longer being used. These unused rules can both decrease the performance of a firewall as well as introduce potential risk into the environment.
The NIST guidelines for Firewall Policies states that “firewalls should block all inbound and outbound traffic that has not been expressly permitted by the firewall policy—traffic that is not needed by the organization”. In following this guideline, we can reduce the volume of traffic passing into your network and decrease the risk associated with this unneeded traffic.
As Security professionals, when it comes to firewalls, it is our responsibility to advise the business on any risks that may be incurred for any given firewall rule. Simply understanding the technical reason for a firewall rule is not enough, we need to understand the business need for why a rule exists; what is its purpose. Only then can you truly be able to assess the need and risk for that rule. As an example, a rule providing outbound SSL access is not very helpful as far as understanding the purpose of this rule. However, if we document the justification for this rule, then we can understand that outbound SSL is needed to remotely manage a cloud environment.
To manage this properly it needs to be a part of a formal configuration management process. Tracking these in a spreadsheet will quickly become an unmanageable task so ideally you want to track these in your configuration or inventory management system. In addition to that, most firewall vendors provide a comments field within the firewall policy. This does NOT mean you do not need effective Change Control and Configuration Management, but it does provide you a quick, at-a-glance view of what each firewall rule is created for.
So, what are some things we can do to optimize the performance and security of our firewalls?
One of the first things we do is look for any technical errors in the configuration. Firewalls can be very complex with hundreds or in some cases thousands of rules which makes finding these a challenge. As a result, the likelihood of technical errors existing is very high. When we talk about technical errors, we are really referring to things like redundant, unused, or obscure rules. Firewall rules are applied top-down so a packet may match on a more permissive rule higher up when the desire was for it to match a rule further down the list.
Rules are typically configured to enable hosts to access a specific network service or services. Therefore, a rule which enables access to a secure web service could be configured to access a specific destination host on Transmission Control Protocol (TCP) port 443. However, it is also possible to configure the rule to allow access using “any” protocol which, would also enable access to port 22, 80 or 443 etc., using both TCP and User Datagram Protocol (UDP). Wherever possible these rules should be configured to use only the specific protocols that are required, TCP port 443 in this example.
Ideally you want to review the firewall configuration at regular intervals. Some industry compliance regulations require documentation of these audits at set intervals. For example, the PCI DSS requires that you review your firewall configuration every six months.
Each review should include a detailed examination of all changes since the last regular review, particularly who made the changes and under what circumstances. Once we have found these errors then we can begin to prioritize the remediation.
Most organizations have well established procedures for adding rules into a firewall, but very few effectively remove rules that no longer serve a legitimate business purpose. It is not uncommon to find rules that are unneeded and no longer server a business purpose. These can and should be removed and doing so will reduce the complexity of the configuration, improve the performance of the firewall and more importantly, reduce the risk associated with the access.
There are many reasons that a rule becomes obsolete including but not limited to:
A contractor required access for a project that is now complete
An upgraded application with different firewall requirements
An application was retired, and the firewall settings are no longer needed
Identifying unused rules or objects is not an easy task. To identify these, you have to analyze the firewall rule against the actual network traffic as opposed to just performing a static analysis. By associating the network traffic in the firewall logs with the rule that generated the traffic we can then start to identify which rules are used the most frequently, which rules are not used at all and which rules may need to be adjusted because they provide too much or too little access.
The addition of firewall rules is a normal occurrence but unfortunately is not always well defined and are often requested in a hurry. As a result, they are often not fully thought out and the necessity of NOW often overrides the “luxury” of security. These rules often provide too much access and introduce risk to the environment. It is often thought that we will just come back to it later but in reality, that rarely happens. Once access for a new system is provided it is not always easy to go back and “fix” these firewall rules. Fixing them in the eyes of the business translates to possible disruption and blocking business access to a critical application; refining access to these applications requires an in-depth knowledge of how the application works and must be performed carefully
It is not enough to just clean up or validate a rule, just because it exists and is in use does not necessarily justify the access provided by that rule or the need for it to exist at all. A proper audit of your firewall configuration can ensure that your firewalls are not introducing any unnecessary risk to the organization or negatively impacting the firewalls performance.
Cleaning up these rules is just one of the steps we need to perform on a regular basis as part of your regular maintenance routines.