Manage Learn to apply best practices and optimize your operations.

How should multiple firewall rules be managed?

Even with a change management system, firewall rule bases can become a nightmare for administrators. In this Q&A, network security expert Mike Chapple points out incorrect, overlapping and unused rules that can ruin your firewall.

I hear that there are now available firewall rule base tools that assist in consolidating messy rules schemes. Do you have any experience with these tools and could you recommend any for Cisco Systems PIX or Check Point firewalls?

Rule base management is certainly a problem area for many firewall administrators. It's easy for firewall rule bases to become riddled with incorrect, overlapping and unused rules, even in the presence of a change management system. There has been a bit of academic research into this topic during the past few years, and researchers have identified a number of anomalies worthy of an administrator's attention:

  • Overlapping/shadowed rules often occur when administrators create one high-priority rule that generalizes lower priority rules. For example, the administrator might create a rule that appears high in the rule base, allowing, say, all SMTP traffic. An older rule, lower in the base, might specifically allow SMTP traffic to a mail server. Because of its similarity and lower priority, however, this more specific rule will never be triggered. The situation could be made worse when the lower rule is intended to block traffic to a particular server. Since the generalized rule appears first, the block would never take effect.

  • Orphaned rules occur when services or systems disappear from the network, or other changes render a rule obsolete. All too often, these rules are never removed from the firewall, creating a potential security hole and adding to a firewall administrator's burden.

  • Unused rules are similar to orphaned rules, except these rules were never used in the first place. Unused rules could be the result of change requests from projects that never materialized, or they could occur because of administrator error when creating a rule.

    There are a couple of commercial tools that attempt to tackle these problems, such as Secure Passage LLC's FireMon and Algorithimic Security (AlgoSec) Inc's Firewall Analyzer. The true solution, however, is to keep your rule base simple, limit it to a manageable size and conduct regular audits.

  • This was last published in February 2009

    Dig Deeper on Application firewall security