My company has worked with a variety of firewalls, and while our change management process has been pretty good...
historically, we don't keep track of the old firewall rules we eliminate. Should we keep track of these rules, and if so, how?
Ask the Expert
Have questions about network security? Submit them now via email!
First, let me commend you and your company for maintaining something that is disregarded in far too many enterprise networks: change management. This is the sort of blocking and tackling that's hardly exciting work (it's actually quite boring), but is nonetheless necessary for maintaining a secure network. How many configuration errors and security loopholes could be avoided if more attention was paid to change management?
Compliments aside, I must say that your company is erring by not tracking eliminated rules. I would equate this to not keeping track of the users who no longer have authority to access your network. While it's a good thing to explicitly state who is allowed on the network, a higher degree of certainty is attained when you explicitly state who is not allowed on your network.
A brief example: Let's say that for a certain time period, your company blocked all traffic from the 10.0.0.0/16 subnet. Then, after some time, it was determined that this subnet belonged to a legitimate domain and had valid business use, so the rule blocking 10.0.0.0/16 was eliminated and forgotten about. Now, suppose that a year or two later a new security administrator is hired and, while poring over the logs, he wrongfully determines that traffic coming from the 10.0.0.0/16 network is illegitimate and blocks the entire subnet. Without anything to reference before he made his decision, the new admin not only blocked a legitimate domain, but may also have inadvertently disrupted some legitimate business traffic. Had your organization put this information into its records, the issue could have been avoided.
While a number of today's next-generation firewalls come with adequate change management tools, many organizations find that firewall configuration management software is the best way to manage changes to firewall rules, including ones that are no longer used. Keeping a record of rules that are disabled or deleted is especially helpful when an unexpected firewall problem occurs, as it can often be traced back to a rule that was mistakenly removed.
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Brad Casey
Allowing users to tunnel through a firewall to access any site creates a security risk. How big of a risk is it? It depends on how much you trust ... Continue Reading
Our IT organization needs to secure customer names, but also needs to conduct searches on the entire customer database to match and merge records. Continue Reading
Don't treat physical and virtual machines' security differently. Since VM security issues threaten the whole infrastructure, here's how to stop ... Continue Reading