Friday, July 30, 2010

How to clean up a firewall rulebase

1. Define a zone-based compliance policy and check it by running an audit report.

2. Identify and reduce insecure rules using the Best Practices report, the Security Risk Report, and the PCI-DSS report if it is relevant for your organization.

3. Optimize performance:

  • Remove bad traffic and clean up the network. Notify server administrators about servers hitting the firewall directly with outbound denied DNS/NTP/SMTP/HTTP(S) requests as well as dropped/rejected internal devices. The administrators should then reconfigure the servers not to send this type of unauthorized outbound traffic, thereby taking load off the firewall.
  • Filtering unwanted traffic can be spread among firewalls and routers to balance the performance and effectiveness of the security policy:
    • Identify the top inbound dropped requests that are candidates to move upstream to the router as ACL filters. This can be time consuming, but it is a good method for moving blocks upstream to the router and saving firewall CPU and memory.
    • If you have an internal choke router inside your firewall, also consider moving common outbound traffic blocks to your choke routers, freeing more processing on your firewall.
  • Remove unused rules and objects from the rule bases.
  • Reduce rule base complexity – rule overlapping should be minimized.
  • Create a rule to handle broadcast traffic (bootp, NBT, etc.) with no logging.
  • Place the heavily used rules near the top of the rule base. Note that some firewalls (such as Cisco Pix, ASA version 7.0 and above, FWSM 4.0 and certain Juniper Networks models) don’t depend on rule order for performance since they use optimized algorithms to match packets.
  • Avoid DNS objects requiring DNS lookup on all traffic.
  • Your firewall interfaces should match your switch and/or router interfaces. If your router is half duplex your firewall should be half duplex. If your switch is 100 Mbit your firewall interface should be hard-set to match your switch; both should most likely be hard-set to 100 Mbit full duplex. Your switch and firewall should both report the same speed and duplex mode. If your switch is gigabit, your switch and firewall should both be set to auto-negotiate both speed and duplex. If your gigabit interfaces do not match between your firewall and switch, you should try replacing the cables and patch panel ports. Gigabit interfaces that are not linking at 1000 Mbit full duplex are almost always a sign of other issues.
  • Separate firewalls from VPNs to offload VPN traffic and processing.
  • Offload UTM features from the firewall: AV, AntiSpam, IPS, URL scanning.
  • Upgrade to the latest software version. As a rule of thumb, newer versions contain performance enhancements but also add new capabilities, so a performance gain is not guaranteed.

No comments:

Post a Comment