Asher Benbenisty, Director of Product Marketing, looks at why it is essential for enterprises to take an application- centric approach to firewall rule recertification, and shows how to simplify and automate this challenging process
We’re all familiar with the use-by dates on food packaging. They tell us when foods, especially those with fresh or perishable ingredients, could pose a health risk if we eat them after the use-by date has expired.
But when was the last time you checked the use-by dates on the firewall rules that are in use across your network? Outdated and obsolete rules pose a significant risk to the health of your network, and in many cases can cause costly breaches or compliance violations. But in many organizations those obsolete rules are still hanging around like an old jar of pesto at the back of your fridge.
Why recertification matters
The typical enterprise network today is more dynamic than ever before. With applications being deployed, changed or migrated to different environments on a daily or even hourly basis, networking and security teams are under enormous pressure to continually ensure that appropriate firewall rules are in place to protect each individual application. But what’s ‘appropriate’ today may not be valid in a few months’ time. Rules can become redundant, passing their use-by date for one of three main reasons.
First, an application can be decommissioned, so the firewall rules associated with it are no longer required. Second, an application can be upgraded and therefore now use different ports – for example, if a desktop application is upgraded to a web application. This is very common. And third, an endpoint can be moved to different datacenter, perhaps as part of a cloud migration or a hardware refresh. New rules will be created to support the new location – but if the old ones aren’t removed, then they introduce unnecessary risk.
Obsolete security rules exponentially increase the risk of security vulnerabilities that hackers can exploit, add complexity to daily tasks such as change management, troubleshooting and auditing, and trigger compliance violations. Moreover, if a new system reuses the same IP address as a decommissioned app, then the old security rule might give the new system permissions that it shouldn’t have.
Additionally, firewall rule bloat overburdens your security hardware and slows down your firewalls, which has an immediate performance impact and longer-term consequences for their lifespan.
Checking the rules
That’s the why, but how should enterprises actually go about recertifying their security rules, and ensure that obsolete rules are removed? The recertification process typically includes four steps for each rule:
- Examine firewall logs and understand the last time that rule was used – fairly obviously, a rule in use that morning is less likely to be obsolete than one that was last activated two months ago.
- Read the comments associated with the rule, to see who requested it and what application it serves.
- Verify that the application is in use with the relevant contact person or team
- Finally you need to either remove the rule, because it is truly obsolete, or extend the expiration date further.
These four steps should followed either on an ongoing basis, where an expiration date is set for each firewall rule, and upcoming expiration dates are reviewed each week; or on a periodic project basis, where firewall administrators review and validate all the firewall rules from all firewalls on the enterprise’s networks.
But performing this four-step process is extremely time-consuming, and error-prone if handled manually. A typical enterprise may have hundreds or even thousands of firewalls, each with hundreds or even thousands of firewall rules. Combing through every rule, and finding the relevant contacts for each in the respective business units in the enterprise would create a huge operational overhead, tying up staff for weeks – while exposing the enterprise to potential security and compliance risks in the meantime.
Rules and applications
However, there is an alternative: an application-centric approach to rule recertification significantly streamlines this process. Fundamentally, firewall rules exist to support business applications, so it’s far easier to identify the rules that need to be recertified based on whether they support an existing application or not.
If the application is currently in use and has not been modified, all its rules should still apply and therefore can be immediately recertified. If the application has been retired or removed, then its rules are no longer relevant and should also be removed. If an application has been altered, then further research is needed to determine the status and validity of its firewall rules.
So how do enterprises go about taking an application-centric approach to rule recertification? The first step is to identify all the firewalls on the enterprise network, together with their associated rules, network objects and configurations. A security policy management solution can provide this network-wide visibility, ensuring that no device is overlooked in the process. The solution should also provide a detailed report showing unused firewall rules, giving an initial target list of rules for review by security teams.
The next step is to identify all the applications on the organization’s networks. Again, the security policy management solution should automatically discover and map application connectivity across the entire network environment, removing much of the laborious, time-consuming manual work. This process is likely to reveal applications that are not being used, and these can be safely decommissioned together with their rules.
Then, all firewalls and their rules should be associated to the applications they serve – a task which the policy management should be able to do automatically.
All that remains is to use security management automation to remove the redundant rules that are not associated with an active application (it is good practice to check usage reports before you delete these rules, to ensure that active rules are not being deleted). The solution should also create a full audit trail of this entire process, and can also include the ability to set an expiration date for rules, and automatically alert security teams when they need to be reviewed and recertified.
In conclusion, ignoring the use-by dates on firewall rules can be just as risky to the health of your security posture as ignoring them on food products. For the sake of your network’s (and your company’s) health, security and compliance, you need to ensure you regularly check and manage your firewall rules.