SecureState recently performed a Firewall Ruleset Review for a midsized company. The review revealed many of the problems we commonly see with firewall management. Rather than blame the understaffed, overworked security team, it seemed like it would be more helpful to highlight some of the recommendations we provided the client. The hope is that these recommendations can be instructive for your company as well.
Many of their firewalls had dead rules, non-existent networks and “permit any” rules. Those are the low lying fruit that we look for first and when fixed, automatically increase security surrounding the attached networks. Any access list that ends in “permit ip any any” is wasted CPU power and increased RAM usage. Why make your firewall go through all of those rules if you permit everything at the end anyways? Not to mention, if you’re going to do that, you could have saved yourself hundreds or thousands of dollars and just gotten a router and used static routes to forward traffic. But in the security world that isn’t an option.
Many of their timeout settings were too large, with insecure protocols being used and a lack of ingress or egress rules. One of their firewalls featured just about the worst case scenario. It was essentially built backwards, with a whole slew of deny statements followed by a permit any statement. Overall, their largest issue was a lack of egress filtering. Egress filtering is a vulnerability that SecureState’s Profiling Team often exploits during Penetration Tests. Using and abusing these lax rules allow them to accomplish many tasks.
All of these issues added up to weak overall network security caused by bad firewall management. SecureState recommended and helped implement processes for and documentation of all rules and configuration settings within a configuration. No longer should someone in the company encounter a firewall rule that seemed unusual and have to ask a coworker if they added it. That doesn’t count as proper documentation.
At the end of the day, even with significant high dollar equipment implemented, their lack of dedicated process behind the ruleset rendered much of it useless. SecureState recommended to justify every rule, every business segment, set it, and forget it. There should be no need to constantly be modifying your firewall. When they install a new server or software package this will be revisited, but adding and dropping lines daily or even weekly is not efficient use of anyone’s time.
The moral of the story is, if you are making constant changes, have bad rules, or an insecure configuration, then you should start over and build your configuration properly. A regular audit of the firewall ruleset is always a good idea and should be budgeted for. Put in the proper change control, documentation and justification, and you will be amazed how much more secure your network will become.