How should multiple firewall rules be managed?

How should multiple firewall rules be managed?

I hear that there are now available firewall rule base tools that assist in consolidating messy rules schemes. Do you have any experience with these tools and could you recommend any for Cisco Systems PIX or Check Point firewalls?

Rule base management is certainly a problem area for many firewall administrators. It's easy for firewall rule bases to become riddled with incorrect, overlapping and unused rules, even in the presence of a change management system. There has been a bit of academic research into this topic during the past few years, and researchers have identified a number of anomalies worthy of an administrator's attention:

  • Overlapping/shadowed rules often occur when administrators create one high-priority rule that generalizes lower priority rules. For example, the administrator might create a rule that appears high in the rule base, allowing, say, all SMTP traffic. An older rule, lower in the base, might specifically allow SMTP traffic to a mail server. Because of its similarity and lower priority, however, this more specific rule will never be triggered. The situation could be made worse when the lower rule is intended to block traffic to a particular server. Since the generalized rule appears first, the block would never take effect.

  • Orphaned rules occur when services or systems disappear from the network, or other changes render a rule obsolete. All too often, these rules are never removed from the firewall, creating

      • Requires Free Membership to View

      Login

      SearchMidmarketSecurity.com members gain immediate and unlimited access to breaking SMB industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchMidmarketSecurity.com today!

      Michael S. Mimoso, Editorial Director

      By submitting your registration information to SearchMidmarketSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchMidmarketSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top