Firewall Wizards mailing list archives
RE: Rule management process
From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 13 Oct 2005 09:25:03 -0400
-----Original Message----- Subject: [fw-wiz] Rule management process
we are in the last stages of our SSE-CMM lvl1 process improvement. One last thing I'm a little stuck on is developing a process for ensuring
our rule set > is i. sensible, ii. optimised and iii. does not have unused rules.
Has anyone else done something like this ?
I would start with documenting a specific scope and business need for all current rules and require that all future rules be documented in the same way. This doesn't need to be especially long or detailed, just a summary of what business function the rule serves to support. If it's a specific project or application, note that as well. Depending on the type(s) of firewall(s) being documented, it may be possible - and is in fact a good idea - to put some version of this information in a comment field in the actual firewall config. This will help in administration and auditing down the road. It may also be a good idea to consider some sort of review and approval process. It never hurts to have work double-checked for both technical and design missteps *before* it's put into production. As far as optimizing the rule set, I would think about doing regular audits of your firewall configs (at least annually). This can be documented in a short report and should reference any change requests or other documentation of remediation efforts that you undertake. The goal should be to make sure that you don't have redundant or obsolete rules (see below), and that rules follow the theory of least privilege. As far as unused rules go, the process and documentation you create for managing new rule creation should help reduce these, but things expire. Again, depending on the firewall(s) you're working with, the devices themselves may keep track of how often the rule is used. (If you want to talk specifics, list members can help with that, too.) This is the best avenue to pursue because it means not having to search through possibly even gigs of log data trying to match traffic to rules. Plus, anytime you can document something right from the source, that's a good thing. Since you're doing SSE-CMM Level 1 right now, you have a lot of flexibility to define and experiment with what works for you. I'd recommend trying a few different things along the way. You should also focus on doing the planning and documentation that would be appropriate for Level 2 as you go. If your organization pursues higher levels of SSE-CMM, you'll be glad you spent the time trying to find what works well for you instead of just getting it done. It will make the difference between SSE-CMM being a valuable undertaking for you and it just being more overhead to your actual work. PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Rule management process Bret Watson (Oct 12)
- RE: Rule management process Paul Melson (Oct 13)