AlgoSec Solution Brief Easily Cleanup Firewall Clutter!

Work More Effectively and Extend Your Hardware's Lifespan

Copyright 2010, AlgoSec Inc. All rights reserved

The Need for Firewall Cleanup

In light of the current economic climate, organizations are increasingly seeking ways to maximize their infrastructure to receive a better return on their technology investments. In addition to enabling IT personnel to work more efficiently the AlgoSec Firewall Analyzer (AFA) enables organizations to significantly improve the performance of their firewalls not only increasing security through streamlined operations but extending their firewalls lifespan. Firewalls are the first and continued line of defense for enterprises today, handling vast amounts of traffic across the corporate network. On the perimeter alone firewalls filter millions of packets daily. Since business needs are dynamic, firewall policies are constantly being changed and modified. Firewall administration teams in large organizations often process dozens of rule additions and changes daily. This continuous flux causes the firewall configuration to grow dramatically over time. A huge and subsequently complex firewall configuration is hard to manage and moreover, the complexity of the configuration decreases the firewalls performance which not only may lead to potential security breaches but often the degradation in performance leads to increased costs in hardware. In short, the firewall clutter faced by most organizations requires them to invest in costly hardware upgrades to counteract the degradation in performance. Additionally, most organizations rule bases, which are in a constant state of flux, not only contain clutter but are not ordered for optimal performance. With AFA organizations can now save on expensive hardware upgrades by easily cleaning the clutter and reorganizing their rules to work more effectively. AFAs patented algorithms automatically can intelligently identify rules that are candidates for removal including, covered rules (rules that are masked out to an earlier rule or combination of earlier rules), disabled rules, unused rules, and timed out rules. AFAs patent-pending Intelligent Rule Reordering capability also enables companies to improve performance reduce the CPU load by instantly relaying the most used rules and where to move the rules to gain the maximum performance boost without changing the integrity of the policy.

AlgoSec Firewall Analyzer (AFA) Policy Optimization

The AFA helps companies clean their firewall policies, easing the network administrators job while boosting performance and eliminating security holes. AFA Policy Optimization does this by locating:

Copyright 2010, AlgoSec Inc. All rights reserved

Unused rules: Rules that have not matched any packet during a specified time. AFA looks at the firewall logs and compares the actual traffic to the rules in the policy. Unused rules are ideal candidates for removal. Often the application has been decommissioned or the server has been relocated to a different address. The period of time for which AFA checks the rule usage is configurable. The default value is 60 days, but the AFA administrator can change it to several months or several days as required. Covered or duplicated rules: Rules that can never match traffic because a prior rule or a combination of earlier rules prevents traffic from ever hitting them. During firewall cleanup such covered rules can be deleted since they will be never used. Covered and Duplicated rules cause the firewall to spend precious time for free and decrease its performance. Redundant special case rules: Rules that are covered by a subsequent rule, and can be removed without altering the security policy. The earlier rule is a special case of a succeeding rule. Disabled rules: Rules that are marked disabled and are not in operation. Disabled rules are ideal candidates for removal, unless the administrator keeps them for occasional use or for historical record. Time-inactive rules: Rules that were active for a specified time in the past and that time expired. Surprisingly, a Check Point time clause on a rule does not contain a field for the year. Therefore rules that were active for a specific period will become active again at the same time next year. Retaining such rules may create security holes. Rules with a time clause: In addition to time inactive rules AFA also lists all the rules with a time clause, whether active or not. Showing these rules will raise the administrator awareness of time-dependent rules that are about to becoming inactive and their necessity. Rules without logging: Rules that are defined not to generate logs. Usually corporate guidelines dictate to keep tracks of maximum rule usage. Since log information consumes a large amount of disk space, administrators often configure highly used rules that control low risk traffic not to generate logs. Listing the rules without logs will help the administrator verifying that the lack of audit for these rules is not in contradiction to corporate policy. Least used rules and most used rules: Rules that matched the smallest number of packets or the largest number over a predefined and configurable period of time. The rules usage statistics helps the administrator in the cleanup process for performance improvement: he may want to reposition most used rules in higher places in the configuration and least used rules in lower places. Rules with zero hit count may be removed. Another piece of information that AFA shows in the least used and most used rules is the last date when each rule was used; This may help the administrator in his reordering and cleanup decisions. Rules with empty comments or comments that do not comply with corporate security policy: The firewall comments allow the administrator to add a free text

Copyright 2010, AlgoSec Inc. All rights reserved

that is usually used to describe the rule usage, the reason for creating the rule, the ticket number in the help desk trouble-ticketing application and any other information associated with the rule. Often corporate policy requires an explanation for each rule so defining rules without comments or comment that do not specify the trouble ticket number contravene policy. AFA reports on tickets without comments and tickets with non-compliant comments. AFA identifies a compliant comment with a ticket number for instance through a regular expression definition.

In addition to analyzing rules, AFA also analyzes objects. Firewall objects contain lists of IP addresses, or IP address ranges, and are a convenient way for a firewall administrator to relate to names rather than numbers. When AFA performs its analysis it translates the names to the list of IP addresses and matches rules and packets to the addresses associated with them. AFA Policy Optimization analyzes the following for objects:

Drawing 1: Optimize Policy summary page example

Copyright 2010, AlgoSec Inc. All rights reserved

Unattached objects: Objects that are not attached to any rule. AFA also displays unattached global object. Empty objects: Objects that do not contain any IP address or address range. Duplicate objects: Objects that already exist but are recreated contributing to the policy bloat. Unused objects: Objects whose address ranges didnt match any packet during a specified time. AFA also displays unused global object. Unused objects within rules: Objects within rules that were not used recently, and can be removed from the particular rules. This allows more granular rule optimization and cleanup to reduce the existing rule base to the traffic actually used .

VPN configuration is also a candidate for cleanup. VPN configuration may include the following items that may be removed without affecting the firewall configuration: Expired users: Users that are not active and cannot login. Unattached users: Users which are not associated with any rules. Unattached user group: User groups which are not associated with any rule.

By removing the unnecessary rules and objects that were detected by AFA, the complexity of the firewall policy is reduced. This improves management, performance increases, and removes potential security holes.

Intelligent Rule Reordering - Firewall Performance Boost

AFAs patent-pending Intelligent Rule Reordering provides recommendations for optimizing a rules location in order to improve firewall performance while taking the firewalls actions into account and ensuring that policy decisions and the filtering logic are preserved. The recommendations offer the firewall administrator a new position for each rule. The administrator can decide whether to move the rule to its exact new recommended position or to another position in the same area, while keeping blocks of rules intact. For manageability reasons, some firewalls allow the creation of a block of rules that handle the same interest and typically administrators would not break this block by unrelated rules, they choose to implement AFA rule reordering recommendation up to a block boundary.

Copyright 2010, AlgoSec Inc. All rights reserved

Drawing 2: Optimize Policy rule reordering optimization summary example

In order to provide a measurable attribute for firewall performance that will show the improvement of the policy optimization, AlgoSec defined a new metric called Rules Matched Per Packet (RMPP). RMPP is a calculation of the average number of rules the firewall tested until it reached the rule that matched a packet (including the matched rule). For example: If the firewall policy consists of only one rule (allow or deny all) that matches everything RMPP will be 1. If the firewall policy consists of 100 rules, such that rule #1 matches 20% of the packets, rule #10 matches 30% and rule #100 matches 50% of the packets: RMPP = 1 * 20% + 10 * 30% + 100 * 50% = 0.2 + 3 + 50 = 53.2 Firewalls do in fact test the rules in sequence, one after another, until they reach the matching rule, and each tested rule contributes to the firewalls CPU utilization. Therefore, optimizing the policy to decrease the RMPP score will decrease the firewall CPU utilization and greatly improve overall performance. Building on the previous example, if rule #100 (that matches 50% of the packets) can be relocated to position #50 without modifying the firewall policy decisions the RMPP will be reduced significantly: RMPP = 1 * 20% + 10 * 30% + 50 * 50% = 0.2 + 3 + 25 = 28.2 This simple change, which can be achieved by reordering the rules, can produce a 47% improvement in firewall performance. Intelligent Rule Reordering provides recommendations for the optimized position per each rule based on the current traffic mix as seen in the firewall logs.

Copyright 2010, AlgoSec Inc. All rights reserved

Implementing the AFA computed optimal rule order in a policy consisting of hundreds of rules may not be feasible. To address this common situation, AFA offers a top-10 list. This list is comprised of the 10 rule-relocation recommendations which provide the greatest improvement. In many cases a handful of rule relocations are sufficient to produce a dramatic drop in RMPP, significantly increasing performance. Sometimes moving only a single rule which is not among the top used, but is located low in the firewall policy, will provide the greatest value. AFA intelligent rule reordering will help to achieve the maximal outcome for the minimal investment.

Drawing 3: Rule reordering recommendations

In the example shown above, the current RMPP is 63.38 for a Cisco PIX configuration of 14 access lists and a total of 794 rules. By completely implementing the recommendations of AFA Intelligent Rule Reordering the RMPP will be lowered significantly to 22.18, which represents an improvement of 65%. Changing the positions of 794 rules in 14 access lists may be very hard, or not even feasible. However, it is clear that by changing the positions of only 10 rules, the administrator can reach a performance improvement of 62% (RMPP of 23.52) which is close to the maximum and requires significantly less effort.

Copyright 2010, AlgoSec Inc. All rights reserved

Conclusion
Firewall administrators can achieve significant and measurable performance improvements for their complex corporate firewalls by using the AlgoSec Firewall Analyzer policy optimization and rule reordering capabilities. AFA helps in policy cleanup by identifying rules that are unused, covered and disabled and ideally should be removed. This is in addition to unattached, empty, duplicate and unused objects. Importantly, AFA helps to eliminate security risks caused by time-inactive rules, and keeps the firewall policy well managed by alerting administrators about rules without logging and comments.

About AlgoSec
AlgoSec is the market leader in network security policy management. AlgoSec enables security and operations teams to intelligently automate the policy management of firewalls, routers, VPNs and related devices, improving overall security while reducing costs. More than 700 of the worlds leading enterprises, MSSPs, auditors and consultancies rely on AlgoSec's Deep Policy Inspection technology for unmatched automation of firewall operations, auditing and compliance, risk analysis and the security change workflow. To ensure the success of every single customer, AlgoSec offers the industry's only moneyback guarantee. For more information visit www.AlgoSec.com or visit our blog.

Copyright 2010, AlgoSec Inc. All rights reserved