Re: [fw-wiz] How to keep firewall rules clean and up-to-date
- From: "Lloyd, Mike" <drmike@xxxxxxxxxxx>
- Date: Thu, 28 Apr 2011 09:25:11 -0700 (PDT)
Fair warning: I make software to work on problems like this, and their
associated risks. That said, I will try to keep my comments properly
What do you do to keep your firewall rules clean and up-to-date?
Procedures, for which?
Keep in mind;
-Servers that change from IP
-Server which has been discarded
Others have already brought up organization discipline, and this is
definitely key. However, errors still happen, and accumulate over time.
There are technologies that can look at the firewall alone, and identify
things like rules that cannot be hit. You can also look for rules that
aren't seeing any traffic, by looking in the logs. However, this faces
serious problems in reality. (Scanners and other tests can "tickle" lots
of rules that aren't otherwise used, making it unclear what "unused"
really means. And on the other side, exactly how long do you have to wait
to be truly confident a rule "isn't used"?)
Worse, as you point out, Ilias, you cannot do everything by just looking
at the firewall. You really need to COMPARE your firewall to your
infrastructure - are there rules allowing access to IP's where there
simply is no host any more? Are there hosts that are exposed that are not
being scanned regularly? Are there exposed hosts that are "forgotten" by
the process, and are thus not being patched?
All of these can be answered, but they take a "multi-silo" approach - you
need to compare your firewall data to your scan data. The scan data may
just be nmap, or something richer that maps out known vulnerabilities (and
can thus detect things like unpatched, overlooked hosts). This may sound
daunting, but my experience is that it IS possible, and it's EXTREMELY
productive. I've seen real cases of a security team getting their first
insight into comparing firewalls to scan data, and immediately proceeding
to pull power cords out of a couple of machines that should have been
decommissioned, but were simply forgotten.
Hope that helps - am happy to discuss technical approaches off-list if
RedSeal Systems, Inc.
firewall-wizards mailing list
- Prev by Date: Re: [fw-wiz] Proxies, opensource and the general market: what's wrong with us?
- Next by Date: Re: [fw-wiz] How to keep firewall rules clean and up-to-date
- Previous by thread: Re: [fw-wiz] How to keep firewall rules clean and up-to-date