Firewall Policy life cycle management
A recent posting to a firewall mail list asked the question, "How do large organizations manage firewall rule sets? Specifically, how do they determine when to remove a policy that is no longer required?" This firewall administrator is always being asked to open access for new applications, but is rarely informed when an application is deprecated and the associated access policy can be removed. Sound familiar?
I mulled this over for a while. Organizations that implement security according to a regularly maintained security policy should never encounter this situation. Requests to add access are reviewed and if approved, recorded in the policy. For example, the security policy team meets in June 1994, reviews a request, and agrees that access to gopher service is permitted. The team notifies the firewall admin to open port 70/TCP. Time marches on. Everyone who used gopher has retired or expired.
In March 2006, the twenty-somethings who now comprise the security policy team review the policy. Everyone in the meeting says, "what the heck is gopher?" They agree to remove gopher access, revise and post the policy, and notify the firewall admin to remove the firewall rule and block access to gopher servers. Who wants a double shot mocha no fat?
OK, it's an interesting bed time story, but in the all too common world of policy-challenged organizations, the story is quite different. And so a more practical question to ask might be, "How do security admins of large organizations know when to remove an access rule from a firewall config?"
When firewall configuration is not policy-driven, admins can rely on what they see in logs. This gives me the opportunity to campaign once more for logging allowed traffic. If you know what traffic is allowed and you log all allowed traffic, then you can monitor what is actually being used and to what extent. Review your logs. When was the last time you saw outbound traffic on port 70/TCP on your network? December 2003? Now you can follow this simple rule of thumb: if you see diminishing to little traffic for a given application, ask management (and employees) whether a business need still exists. If no one speaks up to justify continued access, close the port and as my colleague and friend Fred Avolio says, "wait for the phone to ring, and ask for a business case".
Yeah, I know. This is too easy.
Archived at http://www.securityskeptic.com/arc20060301.htm#BlogID511
by Dave Piscitello