Manage Learn to apply best practices and optimize your operations.

Change management best practices: Tracking eliminated firewall rules

Does your enterprise track eliminated firewall rules? It's one of the change management best practices suggested by expert Brad Casey.

My company has worked with a variety of firewalls, and while our change management process has been pretty good...

historically, we don't keep track of the old firewall rules we eliminate. Should we keep track of these rules, and if so, how?

Ask the Expert

Have questions about network security? Submit them now via email!

First, let me commend you and your company for maintaining something that is disregarded in far too many enterprise networks: change management. This is the sort of blocking and tackling that's hardly exciting work (it's actually quite boring), but is nonetheless necessary for maintaining a secure network. How many configuration errors and security loopholes could be avoided if more attention was paid to change management?

Compliments aside, I must say that your company is erring by not tracking eliminated rules. I would equate this to not keeping track of the users who no longer have authority to access your network. While it's a good thing to explicitly state who is allowed on the network, a higher degree of certainty is attained when you explicitly state who is not allowed on your network.

A brief example: Let's say that for a certain time period, your company blocked all traffic from the subnet. Then, after some time, it was determined that this subnet belonged to a legitimate domain and had valid business use, so the rule blocking was eliminated and forgotten about. Now, suppose that a year or two later a new security administrator is hired and, while poring over the logs, he wrongfully determines that traffic coming from the network is illegitimate and blocks the entire subnet. Without anything to reference before he made his decision, the new admin not only blocked a legitimate domain, but may also have inadvertently disrupted some legitimate business traffic. Had your organization put this information into its records, the issue could have been avoided.

While a number of today's next-generation firewalls come with adequate change management tools, many organizations find that firewall configuration management software is the best way to manage changes to firewall rules, including ones that are no longer used. Keeping a record of rules that are disabled or deleted is especially helpful when an unexpected firewall problem occurs, as it can often be traced back to a rule that was mistakenly removed.

This was last published in April 2014

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.