RE: [fw-wiz] Rule management process
From: Paul Melson (pmelson_at_gmail.com)
To: "'Bret Watson'" <firstname.lastname@example.org>, <email@example.com> Date: Thu, 13 Oct 2005 09:25:03 -0400
Subject: [fw-wiz] Rule management process
> we are in the last stages of our SSE-CMM lvl1 process improvement.
> One last thing I'm a little stuck on is developing a process for ensuring
our rule set > is i. sensible, ii. optimised and iii. does not have unused
> Has anyone else done something like this ?
I would start with documenting a specific scope and business need for all
current rules and require that all future rules be documented in the same
way. This doesn't need to be especially long or detailed, just a summary of
what business function the rule serves to support. If it's a specific
project or application, note that as well. Depending on the type(s) of
firewall(s) being documented, it may be possible - and is in fact a good
idea - to put some version of this information in a comment field in the
actual firewall config. This will help in administration and auditing down
the road. It may also be a good idea to consider some sort of review and
approval process. It never hurts to have work double-checked for both
technical and design missteps *before* it's put into production.
As far as optimizing the rule set, I would think about doing regular audits
of your firewall configs (at least annually). This can be documented in a
short report and should reference any change requests or other documentation
of remediation efforts that you undertake. The goal should be to make sure
that you don't have redundant or obsolete rules (see below), and that rules
follow the theory of least privilege.
As far as unused rules go, the process and documentation you create for
managing new rule creation should help reduce these, but things expire.
Again, depending on the firewall(s) you're working with, the devices
themselves may keep track of how often the rule is used. (If you want to
talk specifics, list members can help with that, too.) This is the best
avenue to pursue because it means not having to search through possibly even
gigs of log data trying to match traffic to rules. Plus, anytime you can
document something right from the source, that's a good thing.
Since you're doing SSE-CMM Level 1 right now, you have a lot of flexibility
to define and experiment with what works for you. I'd recommend trying a
few different things along the way. You should also focus on doing the
planning and documentation that would be appropriate for Level 2 as you go.
If your organization pursues higher levels of SSE-CMM, you'll be glad you
spent the time trying to find what works well for you instead of just
getting it done. It will make the difference between SSE-CMM being a
valuable undertaking for you and it just being more overhead to your actual
firewall-wizards mailing list