Firewall rules never die … they just get holes poked in them and continue to pile on complexity. Now things are likely to get even more complicated with next-generation, application-aware firewalls that aim to maintain hundreds, or even thousands, of application signatures.
Firewall-rules bloat: Where does it come from?
In large organizations there are security staff members who spend all their time writing
These firewall experts make it so that enterprises can swing between blocking a class of traffic to selectively allowing it among a specific set of external or internal entities. The end result of their efforts is a huge and complex rule set, making management more difficult.
Unfortunately as rule sets grow, performance suffers. Rule lists are parsed top to bottom, and the longer they are, the more latency they add to the processing. They also consume ever more of the memory of the devices, hurting performance and ramping up processing and capacity requirements on devices. This added complexity is the enemy of both economy and security as it contributes to more workarounds and more mistakes.
More on managing firewall rules
Firewall management software simplifies firewall rules
Firewall rule management: Best practices
Getting clarity on next-generation firewall features
How to conduct firewall configuration reviews
To make matters worse ... application signature bloat
Some security directors choose to avoid adding application and user-aware next-generation firewalls onto existing firewalls so that they can instead start with a clean slate. Instead of porting firewall rules from one L4 device to another, they put an L4-7 device in and start over.
However, even when starting fresh, next-generation firewalls may not be immune to the bloating problem. It's just that application signatures may become the new bloat.
Consider that each vendor's firewall is able to identify a few hundred applications right out of the box. On top of that, IT organizations add even more profiles for in-house, custom or new applications. All three of these types of apps will grow in importance in the next few years, thanks to the rise of Platform as a Service (PaaS), the continuing explosion of Software as a Service (SaaS), and the rapid evolution of the enterprise mobile device and mobile application space.
Steps to dealing with firewall application-signature bloat
Before IT simply recreates the same sin of continually adding signatures without removing old ones as they become obsolete, it needs to build robust processes to manage the signature set. It would help if vendors made their own signature files easier to treat modularly so IT could only have the rules it needs actually in the loop. That would also mitigate the effects of bloat in the vendors’ own signature files.
The first step is to set up signature aging, so that every rule is tagged with its date of creation and owner. The second step is to institute a regular cycle of re-evaluation. If developers throw up a new application, and it is later replaced with a commercial offering, there has to be a point during the following year where a scheduled review of rules results in junking the old signature. The owner of the rule should be given the chance to speak up in its defense or sign off on its removal.
Bottom line, if IT gets out in front of the process of keeping the application signature set clean and trim in the brave new world of next generation firewalls, it should be able to prevent a brave new world of bloat. Each rule may be exquisitely crafted and uniquely useful when it is needed, a small masterpiece of necessary function, but once it is not needed, it is dead weight. In the words of Arthur Quiller-Couch, “Murder your darlings.”
About the author: John Burke is a principal research analyst with Nemertes Research, where he advises key enterprise and vendor clients, conducts and analyzes primary research, and writes thought-leadership pieces across a wide variety of topics.
This was first published in June 2012