Identifying Devices for Improvement
Device Complexity
To make improvements with usage data, a firewall admin will start by looking at the device complexity to determine which devices need the most work. Device Complexity is a percentage that measures the complexity of a device's firewall rule configuration. Essentially, it is a weighted ratio of physical rules to logical rules on each firewall. Every new component a network administrator adds to a rule - such as a group member, host, network, or service - adds to the device complexity. The higher the device complexity, the greater the risk of a configuration error.
Complex Firewalls Report
There is also a report that can display the same information mentioned above. The Complex Firewalls Report provides a list of the firewalls with most complex policies in a selected device group.
Use Case
By looking at the complex firewalls report, a firewall admin determines that he will start work on cleaning up the firewall with the highest complexity first. He runs a rule usage report on that firewall to see the number of rules on a policy have not been hit in the last year. The firewall admin removes these unused rules to improve the efficiency and manageability of this device. He continues running other types of usage reports to improve the policy even more.
Policy Cleanup
Removable Rules Report - displays the security rules that may be safely removed because they are shadowed or redundant. A shadowed rule is essentially a contradictory rule. It will have the same source, destination, and service but with a different action. For instance, rule 2 below would be considered a shadowed rule:
Rule: 1 Source: 10.0.2.3 Destination: 72.56.321 Service: HTTPS Action: Accept
Rule: 2 Source: 10.0.2.3 Destination: 72.56.321 Service: HTTPS Action: Deny
Rule Consolidation Report - displays security rules on the firewall that may be safely consolidated without changing the behavior of the policy.
Highly Used Rules Low in the Rule Base Report - displays security rules that are highly used and are low in the rule base, which can cause performance problems.
Use Case
The Highly Used Rules Low in the Rule Base Report is run to identify rules that are highly used and are low in the rule base. This is known to cause performance issues on firewalls since traffic has to go through all of the other rules first before hitting this one. The firewall admin moves this rule up higher in the policy so that traffic is passed through without having to go through other rules first.
Rule Cleanup
Security Manager will identify policy inefficiencies directly in the GUI. This data will provide greater visibility into your policies and allow you to make improvements without even running a report.
Usage analysis shows a policy's rule and object usage over time. This data can be used to reorganize rules for efficiency, remove unused rules or objects, and reduce overly permissive rules. Usage Analysis requires that logging is enabled for each rule on the firewall. Note: We can gather usage date from hit counts for Cisco devices. However, we strongly recommend using logs as it is much more efficient for Security Manager.
Rule Properties
The rule properties filter will also display a set of rules that have the potential for improvements.
Reports
Object Usage Report - displays a device's network, service, application, and user objects overlaid with usage counts for a defined time period.
Rules Usage Report - displays a device's security rules overlaid with usage counts for a defined time period.
Unused Rules Report - provides a list of rules that were not used during a defined time period, excluding rules that were disabled or not logged.
Use Case
The Removable Rules Report is run to identify a number of rules that are shadowed and redundant. The firewall admin removes the redundant rules without reviewing them since removing them will not affect access. A rule is considered redundant when there is already a rule that performs the same action in the policy. He doesn't remove the shadowed rule without first reviewing it and the opposite rule to determine which rule should be removed. A rule is considered shadowed when there is another rule that performs the opposite action.
Remediating Overly Permissive Rules
Firewall Traffic Flow Analysis (TFA) enables you to view detailed data on broad, permissive rules inside of a firewall policy. Security Manager provides hit counts on the “Any” object or large networks, identifying the specific IP addresses of the source and destination objects, and the service name, protocols and ports. You can also view flow on the entire rule, for visibility into traffic patterns through a generic rule.
- Because of the large amount of data possible inside of each rule, this information is not automatically collected. You must specifically enable Traffic Flow Analysis for those rules for which you want the detailed traffic data.
- Firewall Traffic Flow Analysis is available for devices with normalized configurations.
- Make sure that you have turned on logging for these devices. In most cases, logging is configured when devices are added to Security Manager. Please see the Administrator's Guide for logging configuration in the device setup instructions.
Use Case
A firewall admin at a bank runs TFA on an overly permissive rule that allows office employees to access any site/destination. He wants to only allow access to sites required to perform their job so he runs TFA for the next seven days to capture employee traffic. The TFA report shows him the sites that employees are accessing. He then edits the overly permissive rule to change the destination from 'Any' to the specific destinations shown in the TFA report.
Create a Traffic Flow Analysis Profile
- From the Security Manager toolbar, click Tools and select Traffic Flow Analysis.
- Click Create New Flow Profile.
- Under General Information, enter a name for the profile, select the target device, and select the period to run the analysis.
- Under Data Collection Criteria, click the Lookup button and select the rule. If you want to match across multiple rules then fill in the criteria for the rules.
- Now click the Create Flow Profile button.
Run a Traffic Flow Analysis Report
- From the Security Manager toolbar, click Tools and select Traffic Flow Analysis.
- Click on the Profiles page on the white toolbar to navigate to a list of profiles that are active and inactive.
- Locate the profile then click the icon to the right of the profile and select Run Report. If needed, edit the Flow Profile before running.
Edit or Delete a Traffic Flow Analysis Profile
- From the Security Manager toolbar, click Tools and select Traffic Flow Analysis.
- Click Profiles under the toolbar to navigate to a list of profiles that are active and inactive.
- Locate the profile then click the icon to the far right.
- Select edit or delete from the drop-down.
Comments
0 comments
Article is closed for comments.