Know Your Firewall

By Chad Raggio ·

Firewalls have been around for decades, and many organizations have had the same firewall technology in place for just as long. Even with the evolution of different security technologies now integrated into next generation firewalls, your firewall rules are not going away any time soon. In fact they are now under scrutiny. 

Often in the past, firewall administrators did not keep documentation of each rule and change that was entered, resulting in an accumulation of unknown rules. Because of this, firewall rule cleanup can be challenging since current firewall administrators may not know the history of the rules, network, system, or application intricacies, and fear that making changes could “break” something. But doing nothing is not an option; in order to effectively improve your organization’s security posture you must either start from scratch (not a very likely option), or, work on the rules already in place and determine how to clean them up. 
 
There are three reasons why organizations should go through a firewall rule cleanup exercise: 

  1. Secure Your Network
    Often with years of “just add this for now and we’ll review it later” firewall rules, the “review it later” portion was never revisited. Now is the time. It is likely that there are misconfigured rules, unknown holes and possibly gaping issues you are not aware of that can leave your organization vulnerable.  
  2. Meet Compliance Requirements
    Organizations are required to provide documentation of the steps taken to secure their network, and show what firewall rules are in place for compliance reasons. Also, compliance with a governing body often requires a standardized process for firewall changes. 
  3. Establish Ongoing Processes and Procedures
    Any firewall rule change should be approved by the security department and implemented by the firewall administrator. The firewall administrator may not know what is required for compliance and what type of traffic should be allowed to certain sensitive systems – this should be decided separately from the implementation. 


Change control should also be involved. This should include network administrators, system administrators and application administrators. If everyone is aware of the changes and approves them, it takes the guesswork out of the implementation process and decreases the likelihood that errors may occur. 

Below are some helpful tips and guidance to keep in mind when auditing and cleaning up your firewall rules:

  • Third-party automated firewall management is an excellent (but optional) first step. Some firewalls include an option to show unused rules, however a manual process is likely involved.  
  • Use a ticketing system during this process to document existing rules, the review of those rules, and any changes that are required.  
  • If you have a large rule set it may be necessary to split the cleanup process into smaller manageable sections such as network IP ranges, server types, user or WiFi segments. 
  • Document existing rules through entering tickets for individual systems or networks, and having server groups take ownership of identifying systems and applications. Once systems and applications are identified, the required IP source, IP destination and application traffic requirements can be entered into the ticket. If changes are required, they would go through the firewall change approval process and change control process. This procedure may be required for larger environments.
  • When changing a firewall rule set from a default allow policy (allow all unless explicitly denied) to default deny policy (deny all unless explicitly allowed), the cleanup process can be applied.

Throughout the firewall cleanup process it is best to have the tools of the trade available. Automated firewall management helps make the job much easier by identifying the weak points in your rules and making recommendations for improvements. These tools also offer options for automating the firewall-specific change control process. 

Moving forward, it is important to have a change management and approval process in place, and a ticketing system to record the business purposes of existing rules and changes needed. This will help ensure that the firewall rules your organization has in place stay up-to-date and can effectively protect your enterprise.  

Chad Raggio

Consultant

Chad Raggio is a consultant in Optiv’s technology solutions practice on the network solutions team. His role is to provide consulting and support to Optiv’s clients with expertise in firewall, intrusion prevention, web filtering and endpoint security solutions.