Firewall Wizards mailing list archives
Re: How to keep firewall rules clean and up-to-date
From: "Lloyd, Mike" <drmike () redseal net>
Date: Thu, 28 Apr 2011 09:25:11 -0700 (PDT)
Fair warning: I make software to work on problems like this, and their associated risks. That said, I will try to keep my comments properly vendor-neutral. Ilias asked:
What do you do to keep your firewall rules clean and up-to-date? Procedures, for which? Keep in mind; -Servers that change from IP -Server which has been discarded etc.
Others have already brought up organization discipline, and this is definitely key. However, errors still happen, and accumulate over time. There are technologies that can look at the firewall alone, and identify things like rules that cannot be hit. You can also look for rules that aren't seeing any traffic, by looking in the logs. However, this faces serious problems in reality. (Scanners and other tests can "tickle" lots of rules that aren't otherwise used, making it unclear what "unused" really means. And on the other side, exactly how long do you have to wait to be truly confident a rule "isn't used"?) Worse, as you point out, Ilias, you cannot do everything by just looking at the firewall. You really need to COMPARE your firewall to your infrastructure - are there rules allowing access to IP's where there simply is no host any more? Are there hosts that are exposed that are not being scanned regularly? Are there exposed hosts that are "forgotten" by the process, and are thus not being patched? All of these can be answered, but they take a "multi-silo" approach - you need to compare your firewall data to your scan data. The scan data may just be nmap, or something richer that maps out known vulnerabilities (and can thus detect things like unpatched, overlooked hosts). This may sound daunting, but my experience is that it IS possible, and it's EXTREMELY productive. I've seen real cases of a security team getting their first insight into comparing firewalls to scan data, and immediately proceeding to pull power cords out of a couple of machines that should have been decommissioned, but were simply forgotten. Hope that helps - am happy to discuss technical approaches off-list if need be. Mike Lloyd Chief Scientist RedSeal Systems, Inc. http://www.redseal.net _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- How to keep firewall rules clean and up-to-date Ilias - (Apr 27)
- Re: How to keep firewall rules clean and up-to-date TAS (Apr 27)
- Re: How to keep firewall rules clean and up-to-date Tracy Reed (Apr 27)
- Re: How to keep firewall rules clean and up-to-date K K (Apr 27)
- Re: How to keep firewall rules clean and up-to-date Magosányi Árpád (Apr 28)
- <Possible follow-ups>
- Re: How to keep firewall rules clean and up-to-date Lloyd, Mike (Apr 28)