RE: [fw-wiz] Rule management process

From: Paul Melson (
Date: 10/13/05

  • Next message: Alan Holmes: "RE: [fw-wiz] Pix VPN endpoint and split-tunnel"
    To: "'Bret Watson'" <>, <>
    Date: Thu, 13 Oct 2005 09:25:03 -0400

    -----Original Message-----
    Subject: [fw-wiz] Rule management process

    > we are in the last stages of our SSE-CMM lvl1 process improvement.
    > One last thing I'm a little stuck on is developing a process for ensuring
    our rule set > is i. sensible, ii. optimised and iii. does not have unused
    > Has anyone else done something like this ?

    I would start with documenting a specific scope and business need for all
    current rules and require that all future rules be documented in the same
    way. This doesn't need to be especially long or detailed, just a summary of
    what business function the rule serves to support. If it's a specific
    project or application, note that as well. Depending on the type(s) of
    firewall(s) being documented, it may be possible - and is in fact a good
    idea - to put some version of this information in a comment field in the
    actual firewall config. This will help in administration and auditing down
    the road. It may also be a good idea to consider some sort of review and
    approval process. It never hurts to have work double-checked for both
    technical and design missteps *before* it's put into production.

    As far as optimizing the rule set, I would think about doing regular audits
    of your firewall configs (at least annually). This can be documented in a
    short report and should reference any change requests or other documentation
    of remediation efforts that you undertake. The goal should be to make sure
    that you don't have redundant or obsolete rules (see below), and that rules
    follow the theory of least privilege.

    As far as unused rules go, the process and documentation you create for
    managing new rule creation should help reduce these, but things expire.
    Again, depending on the firewall(s) you're working with, the devices
    themselves may keep track of how often the rule is used. (If you want to
    talk specifics, list members can help with that, too.) This is the best
    avenue to pursue because it means not having to search through possibly even
    gigs of log data trying to match traffic to rules. Plus, anytime you can
    document something right from the source, that's a good thing.

    Since you're doing SSE-CMM Level 1 right now, you have a lot of flexibility
    to define and experiment with what works for you. I'd recommend trying a
    few different things along the way. You should also focus on doing the
    planning and documentation that would be appropriate for Level 2 as you go.
    If your organization pursues higher levels of SSE-CMM, you'll be glad you
    spent the time trying to find what works well for you instead of just
    getting it done. It will make the difference between SSE-CMM being a
    valuable undertaking for you and it just being more overhead to your actual


    firewall-wizards mailing list

  • Next message: Alan Holmes: "RE: [fw-wiz] Pix VPN endpoint and split-tunnel"