< Back

Security : Firewall : Configuration : Rules

When Words Fail...Automate!

By Calum MacLeod
Calum MacLeod
Director of Sales, Benelux
Tufin Technologies

Apparently we have hit the million word mark in English, according to some American organization that monitors such things. Now I know that most of you will probably be inclined to make some disparaging remark about Americans and the English language but it just goes to show that there are probably about nine hundred and ninety thousand useless words in the language. According to the BBC, a fluent speaker may have a vocabulary between 20-40000 words and most of us survive with a few thousand, or if you’re a certain celebrity chef, one’s enough!

Now apart from the fact that there are probably hundreds of thousands of words that are never used, another phenomenon in our daily use of language is generalizations.  The problem with generalizations is that we make statements that will include “any and all”, either because we are unable or unwilling to obtain all of the information we would need to make accurate judgments about people.  For example it is not true that all Scots drink whisky and wear kilts. Everywhere I go it seems that as soon as someone discovers my heritage they launch into their Scottish whisky tour stories and start discussing the merits of “Glenwhatever” as if I’m supposed to be some kind of expert. I happen to belong to that group of “all Scots” who hate the “any” form of the stuff! Also I discovered that Germans categorize all cars with a Dutch registration as a menace on the road – I’m looking for the bumper sticker that says “I’m not Dutch”!

So what you may ask does this have to do with firewalls and IT security. Well actually we seem to have carried our love for unnecessary words and generalizations into the world of IT security. Look at any firewall configuration and you are likely to find hundreds of rules that are either unused or expired. Additionally in many cases rules are in the wrong place or out of context, like the restaurant menu in the North of England that said “our prices have went up” – although they did manage to spell gâteau and pâté correctly! Additionally we do love the use of generalizations in our rule bases. It is simply much easier to put an “any and all” rule in because we are unable or unwilling to obtain all of the information we would need to create an accurate rule.

But to ask anyone to simply analyze a firewall rule base to select what is actually necessary and to remove all the generalizations is virtually an impossible task. I was recently told by a small financial organization that they had spent six months, with specialist outside help, trying to analyze their firewall rule bases before migrating from one firewall vendor to another. And the result? At the end of the exercise they said that they just simply copied a large part of the rule base as was because no one could actually figure out what the rules did.

The problem is that in many cases firewall administrators are not able to accurately analyze rule bases because they have no understanding of who requested a service and what they are connecting to.  Additionally they are afraid that they may make changes that result in disruption to business critical applications. So here are some of the challenges to expect.

  1. Cleaning up or migrating a rule base - especially if it’s between two different products – is very complex. Firstly it requires that a thorough analysis is made of what traffic is actually accepted. In reality a firewall configuration should consist of traffic specifically allowed and all other traffic should be blocked. The problem very often is that rules are to general so that rules with “deny” will be found all over the configuration along with rules that are just to general
  2. Rule usage analysis - Creating a new rule base without ordering your rules based on usage means that you inherit the same performance issues since frequently the most used rules are at the bottom of the rule base since new rules are frequently just added to the bottom. But rule usage alone is not the only issue.
  3. Risk and Business Continuity Compliance - Just because a rule is heavily used does not mean that by default it goes to the top. Designers need to consider not only the usage but also the organizational risk policy and the business continuity policy. And this adds to the complexity, which makes it an almost impossible task to carry out manually.
  4. Controlling Permissions - And finally rule bases are frequently to general. Very often rules are defined with “Any” for outbound traffic and sometimes even for services. This means that high-risk services can be used and that too often users have access to destinations and services that are risky. In other words firewall administrators should avoid the use of “Any”.

The bottom line is that it is as impractical to expect someone to generate a firewall policy from an existing firewall as it would be to expect someone with limited language skills to translate a document from English to another language.  Without the necessary policy generator tools it becomes an impossible exercise. You might as well try and learn the dictionary. Try looking for a word in the dictionary based on knowing the definition! Very often your firewall configuration is the same – you know what it should do but you just can’t find where it does it.

So unless you’re looking to limit your language skills to the level of a celebrity chef, my advice is that you look seriously into getting hold of the right tools to automatically generate your firewall policies. You’ll save yourself a lot of frustration which in case you’re wondering what it means is “a feeling of dissatisfaction, often accompanied by anxiety or depression, resulting from unfulfilled needs or unresolved problems.” – In other words what you get from trying to generate your firewall policy manually!


Calum MacLeod
Director of Sales, Benelux
Tufin Technologies
Calum MacLeod is a Regional Manager for Tufin Technologies. With more than 30 years of expertise in secure networking technologies, Calum brings deep domain expertise and a wealth of long standing business relationships to Tufin.

Prior to joining Tufin, Calum worked at Cyber-Ark Software as Director of Business Development, where he was responsible for developing their business in Privileged Identity Management in Western Europe and Africa. Prior to Cyber Ark he has worked with several companies in the development and launching of new technologies such as SSL VPN and PKI.

MacLeod has also served as an independent consultant to corporate and government clients on IT security strategy for various European market segments, including the European Commission.

About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY