Tip

Are application signatures the new firewall-rules bloat?

Firewall rules never die … they just get holes poked in them and continue to pile on complexity. Now things are likely to get even more complicated with next-generation, application-aware firewalls

    Requires Free Membership to View

that aim to maintain hundreds, or even thousands, of application signatures.

Firewall-rules bloat: Where does it come from?

In large organizations there are security staff members who spend all their time writing and testing firewall rules. Their jobs exist because their organizations have huge and complex firewall installations with multiple DMZs, a shifting number of applications and dozens of partner organizations to accommodate.

These firewall experts make it so that enterprises can swing between blocking a class of traffic to selectively allowing it among a specific set of external or internal entities. The end result of their efforts is a huge and complex rule set, making management more difficult.

Unfortunately as rule sets grow, performance suffers. Rule lists are parsed top to bottom, and the longer they are, the more latency they add to the processing. They also consume ever more of the memory of the devices, hurting performance and ramping up processing and capacity requirements on devices. This added complexity is the enemy of both economy and security as it contributes to more workarounds and more mistakes.

More on managing firewall rules

Firewall management software simplifies firewall rules

Firewall rule management: Best practices

Getting clarity on next-generation firewall features

How to conduct firewall configuration reviews

To make matters worse ... application signature bloat

Some security directors choose to avoid adding application and user-aware next-generation firewalls onto existing firewalls so that they can instead start with a clean slate. Instead of porting firewall rules from one L4 device to another, they put an L4-7 device in and start over.

However, even when starting fresh, next-generation firewalls may not be immune to the bloating problem. It's just that application signatures may become the new bloat.  

Consider that each vendor's firewall is able to identify a few hundred applications right out of the box. On top of that, IT organizations add even more profiles for in-house, custom or new applications. All three of these types of apps will grow in importance in the next few years, thanks to the rise of Platform as a Service (PaaS), the continuing explosion of Software as a Service (SaaS), and the rapid evolution of the enterprise mobile device and mobile application space. 

Steps to dealing with firewall application-signature bloat

Before IT simply recreates the same sin of continually adding signatures without removing old ones as they become obsolete, it needs to build robust processes to manage the signature set. It would help if vendors made their own signature files easier to treat modularly so IT could only have the rules it needs actually in the loop. That would also mitigate the effects of bloat in the vendors’ own signature files.

The first step is to set up signature aging, so that every rule is tagged with its date of creation and owner. The second step is to institute a regular cycle of re-evaluation. If developers throw up a new application, and it is later replaced with a commercial offering, there has to be a point during the following year where a scheduled review of rules results in junking the old signature. The owner of the rule should be given the chance to speak up in its defense or sign off on its removal.

Bottom line, if IT gets out in front of the process of keeping the application signature set clean and trim in the brave new world of next generation firewalls, it should be able to prevent a brave new world of bloat. Each rule may be exquisitely crafted and uniquely useful when it is needed, a small masterpiece of necessary function, but once it is not needed, it is dead weight. In the words of Arthur Quiller-Couch, “Murder your darlings.”

About the author: John Burke is a principal research analyst with Nemertes Research, where he advises key enterprise and vendor clients, conducts and analyzes primary research, and writes thought-leadership pieces across a wide variety of topics.

This was first published in June 2012

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.