Upload
nebulassolutions
View
146
Download
1
Embed Size (px)
Citation preview
Sweating Your IT Assets – Look No Further Than Firewall Rules
for Real Savings
There‟s no denying that IT budgets are currently being squeezed harder than ever before; “sweating your existing assets” and
“doing more with less” have been the industry‟s watch words for some time.
Against this background, routine, maintenance tasks such as analysing your firewall‟s rule base seem totally unrelated to “doing
more with less”. But reviewing your rule base is one of the most cost effective activities ways to improve your overall system‟s
performance: done effectively, it can give you as much as a 30% performance improvement.
Reviewing and cleansing firewall rules is often overlooked or ignored, particularly as a regular maintenance activity: in a recent
survey of IT security professionals more than 50% admitted that their firewall rules were “a mess”. After implementing a firewall,
most organisations continuously add, amend and update rules – but few check that they‟re still relevant, appropriate and required
on a regular basis. As a result, IT departments can be unwilling to review or amend it; often they have (rightly) concerns that
deleting or amending any rule may leave them vulnerable to security threats. Additionally, administrators often need to be able to
identify conflicting rules which can create security vulnerability of their own or overlapping rules.
Often, the rule base is only cleansed because new rules need to be added and there simply isn‟t any more capacity left to
accommodate them. A typical firewall can function very effectively with a rule-base or around 100 lines, yet it‟s not uncommon for
them to have at least 500 rules and in some cases, many thousands. Over time, the rule-base will evolve into an extremely bulky
linear list which far from assisting can often clog and slow down a system‟s performance and create a bottleneck on the network.
It‟s not difficult to understand the loss in performance if every item passing through a firewall has to be checked against a lengthy
set of rules, many of which are outdated, have been superseded or not relevant.
Given the complexity and age of many rule-bases, it‟s understandable that IT departments have real concerns that deleting or
shutting off specific rules may create more problems than it solves. But this needn‟t been as complicated or as difficult as
expected: there are now rule-base analysis packages available such as Tufin‟s SecureTrack which can show what will happen when
individual rules are changed or deleted. This kind of software can be particularly useful when upgrading to a new firewall, as it
allows users to cleanse their rule book and then only apply the relevant rules to their new firewall – ensuring that it works at
optimum efficiency.
If a new firewall isn‟t an option, there are several other ways in which reviewing your rule-base can improve your systems‟
performance: ordering your rules so the most important ones are at the top of the list will give significant improvement in response
times. Additionally, some rules (such as those which allow inbound traffic from the Internet, where the “source” address is „any‟)
are targeted more often than others for security breaches. Identifying these rules and then ensuring that they‟re 100% watertight
will reduce your risk of a security breach.
There‟s another key reason to review firewalls rules more frequently: audit and compliance. Companies looking to operate in
certain industries, particularly retailing, financial services, healthcare are increasingly being asked to provide assurances – and are
audited accordingly – that they operate within the remit of industry guidelines and legislation such as the PCI DSS (data security
standards) and Sarbanes Oxley. An up to date, regularly maintained rule-base for a firewall is an intrinsic part of providing the
necessary audit trail and compliance information.
Reviewing your rule-base may not be the most exciting activity, but given the tools now available and the obvious upside for
performance, it may be one of the most effective ways to achieve that much heralded goal of doing more with less.
Author: Nick Garlick, managing director, Nebulas Solutions Group
July 2009