Firewall Wizards mailing list archives

Re: How to keep firewall rules clean and up-to-date

From: "Lloyd, Mike" <drmike () redseal net>
Date: Thu, 28 Apr 2011 09:25:11 -0700 (PDT)

Fair warning: I make software to work on problems like this, and their
associated risks.  That said, I will try to keep my comments properly
vendor-neutral.

Ilias asked:

What do you do to keep your firewall rules clean and up-to-date?
Procedures, for which?

Keep in mind;

-Servers that change from IP
-Server which has been discarded
etc.


Others have already brought up organization discipline, and this is
definitely key.  However, errors still happen, and accumulate over time.  

There are technologies that can look at the firewall alone, and identify
things like rules that cannot be hit.  You can also look for rules that
aren't seeing any traffic, by looking in the logs.  However, this faces
serious problems in reality.  (Scanners and other tests can "tickle" lots
of rules that aren't otherwise used, making it unclear what "unused"
really means.  And on the other side, exactly how long do you have to wait
to be truly confident a rule "isn't used"?)

Worse, as you point out, Ilias, you cannot do everything by just looking
at the firewall.  You really need to COMPARE your firewall to your
infrastructure - are there rules allowing access to IP's where there
simply is no host any more?  Are there hosts that are exposed that are not
being scanned regularly?  Are there exposed hosts that are "forgotten" by
the process, and are thus not being patched?

All of these can be answered, but they take a "multi-silo" approach - you
need to compare your firewall data to your scan data.  The scan data may
just be nmap, or something richer that maps out known vulnerabilities (and
can thus detect things like unpatched, overlooked hosts).  This may sound
daunting, but my experience is that it IS possible, and it's EXTREMELY
productive.  I've seen real cases of a security team getting their first
insight into comparing firewalls to scan data, and immediately proceeding
to pull power cords out of a couple of machines that should have been
decommissioned, but were simply forgotten.

Hope that helps - am happy to discuss technical approaches off-list if
need be.

Mike Lloyd
Chief Scientist
RedSeal Systems, Inc.
http://www.redseal.net

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

How to keep firewall rules clean and up-to-date Ilias - (Apr 27)
- Re: How to keep firewall rules clean and up-to-date TAS (Apr 27)
- Re: How to keep firewall rules clean and up-to-date Tracy Reed (Apr 27)
  - Re: How to keep firewall rules clean and up-to-date K K (Apr 27)
- Re: How to keep firewall rules clean and up-to-date Magosányi Árpád (Apr 28)
- <Possible follow-ups>
- Re: How to keep firewall rules clean and up-to-date Lloyd, Mike (Apr 28)