My company has worked with a variety of firewalls, and while our change management process has been pretty good...
historically, we don't keep track of the old firewall rules we eliminate. Should we keep track of these rules, and if so, how?
Ask the Expert
Have questions about network security? Submit them now via email!
First, let me commend you and your company for maintaining something that is disregarded in far too many enterprise networks: change management. This is the sort of blocking and tackling that's hardly exciting work (it's actually quite boring), but is nonetheless necessary for maintaining a secure network. How many configuration errors and security loopholes could be avoided if more attention was paid to change management?
Compliments aside, I must say that your company is erring by not tracking eliminated rules. I would equate this to not keeping track of the users who no longer have authority to access your network. While it's a good thing to explicitly state who is allowed on the network, a higher degree of certainty is attained when you explicitly state who is not allowed on your network.
A brief example: Let's say that for a certain time period, your company blocked all traffic from the 10.0.0.0/16 subnet. Then, after some time, it was determined that this subnet belonged to a legitimate domain and had valid business use, so the rule blocking 10.0.0.0/16 was eliminated and forgotten about. Now, suppose that a year or two later a new security administrator is hired and, while poring over the logs, he wrongfully determines that traffic coming from the 10.0.0.0/16 network is illegitimate and blocks the entire subnet. Without anything to reference before he made his decision, the new admin not only blocked a legitimate domain, but may also have inadvertently disrupted some legitimate business traffic. Had your organization put this information into its records, the issue could have been avoided.
While a number of today's next-generation firewalls come with adequate change management tools, many organizations find that firewall configuration management software is the best way to manage changes to firewall rules, including ones that are no longer used. Keeping a record of rules that are disabled or deleted is especially helpful when an unexpected firewall problem occurs, as it can often be traced back to a rule that was mistakenly removed.
Related Q&A from Brad Casey, Contributor
Can Project Sonar, an Internet-scanning project, benefit enterprise network security? Expert Brad Casey discusses.continue reading
The Department of Defense is using a converged network security architecture to simplify security management. Learn about the security benefits.continue reading
If Wi-Fi network passwords are accessed off Android mobile devices by third parties, it could mean disaster without the right precautions.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.