How many network administrators wonder if the changes they made to the company's firewall rule set have created an opening in the network's defenses?
The complexity of modern networks makes it difficult to maintain an overview of the entire perimeter, applications and users. IT personnel often change, new applications get added, and users come and go or change roles. These changes can require numerous adjustments to firewall rules, and permissions can easily become quite muddled. In this tip, we'll discuss methods and technologies that enable successful firewall rules changes.
First off, I think the best way to approach firewall rule management is with these three key guidelines:
- Keep your rule base simple
- Document every rule
- Implement a change-control policy
Keeping the rule base simple
Firewall manuals are often baffling, but the key points to remember are that filters specify an action for a specific value, such as Block Port 80, whereas rules apply a conditional statement, if port=80 then deny. How to go about configuring a firewall should stem directly from the business rules established in the organization's security policy. If you approach firewall configuration with the goal of supporting those directives, the rules and filters should define themselves.
The best way to combine filters and rules is to establish a basic "deny" filter, then set separate filters or rules to handle special cases. For example: Block port all, Allow port 80. This approach to firewall rule management doesn't necessarily avoid rules that overlap each other, but by always placing your "allow" rules lower in priority than your "deny" filters, your overall rule set will be more secure.
Documentation and change-control policy
By commenting and making detailed notes about every rule, it's easier to understand the intention behind each one when it's time to make changes. It is also important to only make changes by following a change-control process, a formal, coordinated approach that will ensure changes are tested and can be reversed if an unintended outcome (i.e. an insecure configuration) occurs. Also make sure that groups of rules or policies have meaningful names with the creation date and administrator's initials included in the file name.
Some administrators don't feel comfortable relying solely on a single firewall technology, and certainly no single firewall does everything exceptionally well. Many times, multiple firewalls are needed to handle multiple points of entry on the network and protect a variety of different business applications. The more firewalls you put into a network, however, the more difficult it becomes to keep them coordinated and consistent across the entire network.
The best strategy in such cases is to be sure each one has a distinct purpose and position within the flow of network traffic. For example, if you have a firewall dedicated to protecting your database, then its rules and filters need only be concerned with controlling traffic to and from the database, not all the other devices on your network. This makes the rule set simpler and thus easier to manage.
Products that automate firewall rule management
Thankfully, today technology exists to automate firewall management and make it easier to maintain consistent, coordinated firewall settings across an organiation. Networks using solely Cisco Systems Inc. firewalls, for example, can use CiscoWorks Management Center for PIX to manage the configuration of multiple PIX Firewall devices, while McAfee Inc.'s Firewall Enterprise Control Center provides a central interface for simplifying the management of multiple McAfee Firewall appliances.
One feature I like in the Network and Security Manager (NSM) firewall management tool from Juniper Networks Inc. is the ability to create "begin" and "end" rules on every Juniper firewall, which local administrators cannot delete or disable. To deploy consistent rules across a heterogeneous environment, you could also try using Firewall Builder, a vendor-neutral application that configures and manages firewall rules, to generate configuration files for any supported target firewall platform from the same policy created in its GUI. (Firewall Builder is distributed under both the GNU Public License or under commercial license.)
The Firewall Analyzer from Algosec Inc. takes a different approach to firewall rule management. The product queries multiple firewall vendors and devices to learn whether a change is even needed, as the rule or policy may already exist. It also assesses the operational and security implications of a proposed change. RedSeal Systems Inc.'s Security Risk Manager similarly can analyze firewall and router configurations against industry and security best practices and then recommend changes.
Whichever product you use, remember that constant changes to firewall policies will affect their performance. The adjustments also involve costs and time in planning and coordinating the changes with other aspects of the network. Finally, I would recommend regular audits on your firewall rules to check that your "as-implemented" configuration hasn't diverged from the "as-designed" configuration. Orphaned and unused rules can occur when services or systems are removed from the network, or other changes render a rule obsolete.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.