Firewall Rulebase Management: Tools and Techniques

Introduction

The introduction of the modern computer network has revolutionized how computing is used in the workplace. Whether it is through simple sharing files via common storage locations or accessing a wealth of information through both external Internet sources and internal intranet sources, the modern network has become a necessity for nearly all companies to deploy. Technology and application growth seem to continue unbounded raising the question of what the next technology will be after smart phones, Twitter, or social networking. Unfortunately, the very act of communication that opens up such a wealth of information serves as a double-edged sword, both allowing helpful, requested information to flow but also offering a new opportunity for malicious individuals to attack the digital enterprise environment.

In the enterprise security environment, the firewall serves as the front-line security device effectively delineating the perimeter between various zones of security control within the network of an organization. These zones of control can range from guarding sensitive data repositories such as a large database of personnel information to separating individual departments from one another to simply protecting the internal network from outside attacks originating in the Internet. Moreover, firewalls have become nearly ubiquitous with deployment levels approaching nearly 97% within modern enterprises (Richardson, 2007).

While other security tools such as virus scanners also enjoy similar deployment rates, the firewall is the de facto tool for enforcing network security. Analogous to the gate officer of old, firewalls operate as the network “traffic cop,” determining which connections can start and stop and to whom communications can go or from whom they can be received. Due to the current and growing significance of firewalls in computer security for the enterprise, this chapter has the following goals.

• •

  Overview of firewalls and networking: We begin with a brief overview of computer networks and describe the core approaches on how firewalls and the network interact. Particularly, we focus on the rules or logic of the firewall, i.e. how does the device decide what traffic may pass and how do the rules governing that activity emerge from company policy and / or history?

• •

  Discussion of rulebase management: We continue with a discussion of the current state of affairs with respect to firewall rulebase management. Given that the enterprise and its applications are ever changing, what is the current state of the industry and most organizations with respect to keeping their firewall rule sets in peak running condition. What are the most common approaches to this task?

• •

  An important but neglected aspect of rulebase management: We conclude the chapter with a case study regarding the notion of orphaned rules. We discuss why orphaned rules offer an excellent case study regarding the importance of proper organizational security leadership and we describe specific tools we have created to address this matter.