Companies have been encouraged to tidy up their firewalls in order to achieve optimum performance.

 

Calum Macleod, regional director at Tufin Technologies, claimed that there is a belief that a firewall can be installed and set up, and then left alone, a process that leaves it without up-to-date configurations.

 

McLeod said: “In most organisations the firewall configurations are changing on a daily basis with continuous requests for services to be added, removed, and modified. And this is not only a complex procedure but also very risky for an organisation.

 

“No matter how well qualified your firewall administrator is, or how experienced, it is impossible for anyone to be really on top of every rule in every firewall. For example how many of your staff totally understand your policies related to what services are allowed and who might use them?”

 

He described the firewall as being like an in-tray, in that something new is added on top of the existing configuration, with the result that rule bases increase to an unmanageable size.

 

This leaves rules overlapping with nobody taking the time to check this, or more likely people simply not knowing where to start. As more rules are added the performance of the firewall decreases because the firewall has to process through possibly hundreds of rules to find a match.

 

McLeod said: “Cleaning the rule base can very often result in a reduction of up to 50 per cent of rules because they are either partial shadowed (overlapping) with other rules or they are simply never used. The bottom line is effective management of your rule base can extend the lifespan of a firewall by many years – in other words there's no need to buy a new one.”

 

He also encouraged the monitoring of changes and the enforcing and monitoring of policies. It is also important to understand how an organisation translates a business service request to an actual change on the firewall, and encourage staff to fully understand what exactly needs to be changed and where.