Académique Documents
Professionnel Documents
Culture Documents
Unused rules: Rules that have not matched any packet during a specified time. AFA looks at the firewall logs and compares the actual traffic to the rules in the policy. Unused rules are ideal candidates for removal. Often the application has been decommissioned or the server has been relocated to a different address. The period of time for which AFA checks the rule usage is configurable. The default value is 60 days, but the AFA administrator can change it to several months or several days as required. Covered or duplicated rules: Rules that can never match traffic because a prior rule or a combination of earlier rules prevents traffic from ever hitting them. During firewall cleanup such covered rules can be deleted since they will be never used. Covered and Duplicated rules cause the firewall to spend precious time for free and decrease its performance. Redundant special case rules: Rules that are covered by a subsequent rule, and can be removed without altering the security policy. The earlier rule is a special case of a succeeding rule. Disabled rules: Rules that are marked disabled and are not in operation. Disabled rules are ideal candidates for removal, unless the administrator keeps them for occasional use or for historical record. Time-inactive rules: Rules that were active for a specified time in the past and that time expired. Surprisingly, a Check Point time clause on a rule does not contain a field for the year. Therefore rules that were active for a specific period will become active again at the same time next year. Retaining such rules may create security holes. Rules with a time clause: In addition to time inactive rules AFA also lists all the rules with a time clause, whether active or not. Showing these rules will raise the administrator awareness of time-dependent rules that are about to becoming inactive and their necessity. Rules without logging: Rules that are defined not to generate logs. Usually corporate guidelines dictate to keep tracks of maximum rule usage. Since log information consumes a large amount of disk space, administrators often configure highly used rules that control low risk traffic not to generate logs. Listing the rules without logs will help the administrator verifying that the lack of audit for these rules is not in contradiction to corporate policy. Least used rules and most used rules: Rules that matched the smallest number of packets or the largest number over a predefined and configurable period of time. The rules usage statistics helps the administrator in the cleanup process for performance improvement: he may want to reposition most used rules in higher places in the configuration and least used rules in lower places. Rules with zero hit count may be removed. Another piece of information that AFA shows in the least used and most used rules is the last date when each rule was used; This may help the administrator in his reordering and cleanup decisions. Rules with empty comments or comments that do not comply with corporate security policy: The firewall comments allow the administrator to add a free text
that is usually used to describe the rule usage, the reason for creating the rule, the ticket number in the help desk trouble-ticketing application and any other information associated with the rule. Often corporate policy requires an explanation for each rule so defining rules without comments or comment that do not specify the trouble ticket number contravene policy. AFA reports on tickets without comments and tickets with non-compliant comments. AFA identifies a compliant comment with a ticket number for instance through a regular expression definition.
In addition to analyzing rules, AFA also analyzes objects. Firewall objects contain lists of IP addresses, or IP address ranges, and are a convenient way for a firewall administrator to relate to names rather than numbers. When AFA performs its analysis it translates the names to the list of IP addresses and matches rules and packets to the addresses associated with them. AFA Policy Optimization analyzes the following for objects:
Unattached objects: Objects that are not attached to any rule. AFA also displays unattached global object. Empty objects: Objects that do not contain any IP address or address range. Duplicate objects: Objects that already exist but are recreated contributing to the policy bloat. Unused objects: Objects whose address ranges didnt match any packet during a specified time. AFA also displays unused global object. Unused objects within rules: Objects within rules that were not used recently, and can be removed from the particular rules. This allows more granular rule optimization and cleanup to reduce the existing rule base to the traffic actually used .
VPN configuration is also a candidate for cleanup. VPN configuration may include the following items that may be removed without affecting the firewall configuration: Expired users: Users that are not active and cannot login. Unattached users: Users which are not associated with any rules. Unattached user group: User groups which are not associated with any rule.
By removing the unnecessary rules and objects that were detected by AFA, the complexity of the firewall policy is reduced. This improves management, performance increases, and removes potential security holes.
In order to provide a measurable attribute for firewall performance that will show the improvement of the policy optimization, AlgoSec defined a new metric called Rules Matched Per Packet (RMPP). RMPP is a calculation of the average number of rules the firewall tested until it reached the rule that matched a packet (including the matched rule). For example: If the firewall policy consists of only one rule (allow or deny all) that matches everything RMPP will be 1. If the firewall policy consists of 100 rules, such that rule #1 matches 20% of the packets, rule #10 matches 30% and rule #100 matches 50% of the packets: RMPP = 1 * 20% + 10 * 30% + 100 * 50% = 0.2 + 3 + 50 = 53.2 Firewalls do in fact test the rules in sequence, one after another, until they reach the matching rule, and each tested rule contributes to the firewalls CPU utilization. Therefore, optimizing the policy to decrease the RMPP score will decrease the firewall CPU utilization and greatly improve overall performance. Building on the previous example, if rule #100 (that matches 50% of the packets) can be relocated to position #50 without modifying the firewall policy decisions the RMPP will be reduced significantly: RMPP = 1 * 20% + 10 * 30% + 50 * 50% = 0.2 + 3 + 25 = 28.2 This simple change, which can be achieved by reordering the rules, can produce a 47% improvement in firewall performance. Intelligent Rule Reordering provides recommendations for the optimized position per each rule based on the current traffic mix as seen in the firewall logs.
Implementing the AFA computed optimal rule order in a policy consisting of hundreds of rules may not be feasible. To address this common situation, AFA offers a top-10 list. This list is comprised of the 10 rule-relocation recommendations which provide the greatest improvement. In many cases a handful of rule relocations are sufficient to produce a dramatic drop in RMPP, significantly increasing performance. Sometimes moving only a single rule which is not among the top used, but is located low in the firewall policy, will provide the greatest value. AFA intelligent rule reordering will help to achieve the maximal outcome for the minimal investment.
In the example shown above, the current RMPP is 63.38 for a Cisco PIX configuration of 14 access lists and a total of 794 rules. By completely implementing the recommendations of AFA Intelligent Rule Reordering the RMPP will be lowered significantly to 22.18, which represents an improvement of 65%. Changing the positions of 794 rules in 14 access lists may be very hard, or not even feasible. However, it is clear that by changing the positions of only 10 rules, the administrator can reach a performance improvement of 62% (RMPP of 23.52) which is close to the maximum and requires significantly less effort.
Conclusion
Firewall administrators can achieve significant and measurable performance improvements for their complex corporate firewalls by using the AlgoSec Firewall Analyzer policy optimization and rule reordering capabilities. AFA helps in policy cleanup by identifying rules that are unused, covered and disabled and ideally should be removed. This is in addition to unattached, empty, duplicate and unused objects. Importantly, AFA helps to eliminate security risks caused by time-inactive rules, and keeps the firewall policy well managed by alerting administrators about rules without logging and comments.
About AlgoSec
AlgoSec is the market leader in network security policy management. AlgoSec enables security and operations teams to intelligently automate the policy management of firewalls, routers, VPNs and related devices, improving overall security while reducing costs. More than 700 of the worlds leading enterprises, MSSPs, auditors and consultancies rely on AlgoSec's Deep Policy Inspection technology for unmatched automation of firewall operations, auditing and compliance, risk analysis and the security change workflow. To ensure the success of every single customer, AlgoSec offers the industry's only moneyback guarantee. For more information visit www.AlgoSec.com or visit our blog.