"Finding holes in security is easy, plugging them is hard"
So you have completed and invaluable Assessment or Audit which yielded a long list of vulnerabilities sorted by priority. The list is made up of Overly-Permissive firewall rules that you have no idea how to fix. That is where we come in. Many Vendors have "products" that claim to make this easy, but they all fall short on their promises. They try to drown you in voluminous rule and object usage reports. Then they stand back and expect you to think their product is great because of the digital data avalanche is produces.
This fools a lot of people. Don't let their smoke screen fool you.
What is Firewall Compliance?
The process of identifying, analyzing, and eliminating unused firewall access with the goal of making all rules meet Compliance Criteria. This includes removing entire rules that are unused, as well as replacing Overly-Permissive rules with more restrictive ones.
Who is a candidate for Firewall Compliance?
All Firewall Security Policies can be optimized and tightened to some extent. Most have a significant need for the service. We can help customers who already have a third party remediation, compliance or optimization tool and need to accelerate progress, or we can use our own proprietary tools to complete the job from start to finish.
How long does it take?
This depends upon the customer environment and the quality of the log data. Generally you should plan on it taking about 1 year, although excellent progress can be made in as little as 3-6 months.
What is an Overly-Permissive Rule?
A firewall rule that allows network access for a number of sources, destinations, or network protocols/services that is considered to be too great to be secure. More specifically, its permissiveness score exceeds a threshold set forth by the Compliance Criteria.
It is not unusual to see giant holes blown in firewalls by rules such as the ones below. Rule 10 is the rules someone wanted in to allow client to server connectivity. Often a reverse of the client to server rule is incorrectly put into place to allow the server replies to the client to be permitted. Since almost all modern firewalls are stateful, this "reverse rule" is not needed. It is amazing how many "professional" firewall admins are ignorant of this basic fact.
Why do Overly-Permissive Rules get into security policies? Possible causes include...
A legacy rule carried over when the firewall was newly setup and admins were trying to get stuff working as quickly as possible. A lax request/approval process where an application owner requested overblown access and it was put into place without push back. It could simply be the result of careless administration.
What is Compliance Criteria?
The part of a Security Compliance Policy which determines whether a specific element is acceptable or not. The specifics vary by the industry, sensitivity of the data being protected, government regulatory requirements, and many other factors. Compliance Criteria is usually created for clients to meet their security needs.
The Firewall Compliance Process
The remediation of Overly-Permissive Rules consists of the following 4 primary steps.
1) Rule Assessment Scorecard
We start by accessing your rules and scoring them. This is the easy part. Which rules are addressed in the subsequent steps will be determined by the Compliance Criteria used. The Compliance Criteria will be determined based on need. This is often determined by regulatory requirements such as PCI, HIPPA, etc.
2) Rule Usage Determination
Firewall traffic log information is parsed into a special use database used to create a Rule Usage Database.
3) Replacement Rules
Next, the patent pending RuleGen Engine generates a set of replacement rules based on legitimate usage.
4) Compliance verification
Lastly, the rule scoring is performed again to make sure the target compliance goals have been achieved.