Firewall Rules And Optimize Firewall Performance Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Introduction

Firewall plays a crucial role in implementing a security policy of organization controlling the flow of network traffic between internal and external network hosts. A firewall usually is designed to determine which protected network zone an incoming or outgoing packet is allowed to access. This can protect information assets from external attack that could compromise confidentiality or result in data leakage. Firewall must be configured properly in order to function efficiently. In fact, the configurations of firewall policy are not easy and too complex to understand because they are often written in low level of language. With both increasing sophistication of attacks and the change in organization security policy that need to configure rules to more strongly secure organization information. However, if a firewall administrator does not have the good understanding of protocols and services to be able to add or modify and delete rules, as a result, it will absolutely increases a number (complexity) of rules and create more errors likelihood unavoidably, thereby rendering the firewall performance highly critical to enforcing the network security policy. Firewall administrator need to be aware and understand what kind of logical errors can probably exploit organization vulnerability to be able to reduce errors and simplify rule base so that organization can stay secured. This paper will act as a guide for firewall administrators and help them understand more how firewall misconfiguration or mismanagement make errors and give suggestion the effective way to reduce errors.

Rule based firewalls are widely used firewalls and easy to implement with low cost and high efficiency to meet business security requirements. Rule based firewall system use a set of rule to control packets sent from non-trusted and trusted of network which is allowed or denied. Basically, firewall rules consist of four elements:

Action: the action that will be taken when rule is satisfied.

Source IP: the IP address of source system affected by the rule

Destination IP: the IP address of destination system affected by the rule

Destination port: the destination port assigned and corresponding to the type of service offered by destination source

Table : Sample Firewall Rulebase

Rule #

Action

Source IP

Destination IP

Destination Port

1

allow

any

192.168.1.1

80

2

allow

any

192.168.1.1

443

3

deny

192.168.2.0/24

any

25

4

allow

192.168.2.0/24

any

any

5

deny

any

any

any

Table1 shows a sample firewall rulebase for common environment. The first 2 rules allow any source IP to access 192.168.1.1(Web Server) on port 80(HTTP) and 443(HTTPS). The 'any' source IP allows Intranet and Internet to access web server. The third rule block access from 192.168.2.0/24(Intranet) to any destination (SMTP) on port 25. The fourth rule allows access from Intranet to any destination. The last rule, known as 'cleanup rule', denies any access that is not authorized, which follow the fundamental principle of least privilege. This cleanup rule usually appears at the end of rule set to handle packets that do not match any preceding rule.

In rule-based firewall, sequential order in rules is important because it tells which rule is high priority or low priority compared to other rules based on its position within the rule-based firewall table. The rules occurring earlier have higher priority than later rules.

Rule-based firewall works by logically examining the rules in sequential order. The each incoming and outgoing packet will be processed and extract its IP header, containing source IP, destination IP, source port, destination port, from packet. Then make comparison with rules; the first matching rule will determine the action (allow or deny) taken by the firewall.

Errors likelihood

Some organizations have so complicated security policy that firewall administrators must have a good understanding of it and translate the security policy into list of rules. In some case, the complicated security policy is impossible for firewall administrators to implement to meet its requirement because they find it difficult to translate from security policy issued by human to rule configurations understood by firewall. The frequency of defining new rules depends on how often change made to security policy especially in large company with many branches connected by network system which might change 50-100 times a month. That means firewall administrator might have to add, delete and modify rules as policy requirement changed, worse, that rules newly added might have already existed, especially when a new firewall administrator takes over the old one, leading to rule conflict that create a high likelihood of policy misconfiguration. This may actually reduce the overall network security performance by making errors more likely. There is common error likelihoods that firewall rulebases contain errors (known or undetected) categorized as following

Promiscuous rule: allow more access than necessary to meet the stated business requirements. For example, the rule allow access to a system from all IP addresses when access is only necessary from a single subnet and allow access to a system on multiple ports when only a subset of those ports is required. The promiscuous rule creates a serious error to the organization.

Redundant rules: result when one rule duplicates all or portion of the access permitted or denied by an existing rule. For example, a rule that allows a single IP address to access a server on a particular TCP port when an existing rule already allowed all IP addresses to access that port. The redundant rule does not pose any risk to organization and security policy will not be affected if redundant rule is removed. However, if there are many redundant rules found in a rule set, it will reduce overall the performance of firewall. It is because the size of rule set become bigger and it will be more time consuming when make comparison between packet and each rule in sequence. For instance,

Rule #

Action

Source IP

Destination IP

Destination Port

1

allow

192.168.3.0

192.168.1.1

80

2

allow

192.168.3.2

192.168.1.1

80

Rule1 and rule2 are redundant because rule2 allows 192.168.3.2 to access 192.168.1 on port 80 which was already defined in rule1.

Shadowed rules: it is a rule which is never be activated because all packets that actually match this rule already matched by one or more rules which are higher ranking or written above shadowed rule. An example of shadowed rules include placing a rule that denies access to a particular website below a rule that allows all access to all websites and placing a rule that allow access to a server on a single port form a single IP address below a rule that blocks all access to the server from all IP addresses. Shadowing is a critical error in the policy, as the filtering rule never takes effect. The situation could be made worse when the lower rule is intended to block traffic to a particular server. Since the generalized rule appears first, the block would never take effect. It is important to discover shadowed rules and alert the administrator who might correct this error by reordering or removing the shadowed rule. .

Rule #

Action

Source IP

Destination IP

Destination Port

1

allow

any

192.168.1.1

80

2

deny

192.168.10.2

192.168.1.1

80

Rule2 is never executed because it is shadowed by rule1. As a result, according to security policy, the host 192.168.10.2 is blocked to reach webs server 192.168.1.1 but in the firewall policy, the host 192.168.10.2 is allowed to access web server as rule2 is shadowed by rule1.

Orphaned rules exist in the firewall rulebase but are never executed by traffic going though the firewall. For instance, a rule designed to allow access to a database server that incorrectly specifies a non-existent destination IP address and a rule designed to allow HTTP access to a server that no longer hosts a website. Orphaned rule is not critical error and have no impact on organization's security policy but if there are more orphaned rules contained in a rule set, it will increase the size of rule and reduce overall firewall performance since the firewall takes longer time to do matching each rule.

Unused rules: unused rule is quite similar to orphaned rule, except unused rule is never used in first place. Unused rules might result from making error by administrator or change in security policy that administrator might forget to delete rules.

Rule specification: a rule that contain errors made in the conversion process between business requirement and the firewall rule definition. Some of rule specification errors include specifying the incorrect port for a service (e.g., creating a rule for port 80 when the business requirement was FTP service), specifying rules that do not meet business requirement based on a misunderstanding of business requirement and failing to specify a rule necessary to meet business requirement. This kind of error made is critical error that need to be resolved immediately, otherwise, the organization operation get affected.

Data entry error: this error occurs when converting a technical rule definition into the firewall policy format and entering that rule into the firewall rulebase. Some examples of data entry errors include mistyping a port number (e.g., creating a rule for port 52 when the technical rule specified port 25), mistyping a source or destination address (e.g., creating a rule for 192.168.0.0/24 instead of 129.168.0.0/24). This kind of error made is the same critical error as error made by rule specification that need to be resolved immediately, otherwise, the security policy will be affected.

Some undetected or known errors made by administrators or supervisors fall into categories above are needed to resolve immediately because it has a great impact of those errors on enterprise security and the organization is not be able to enforce security policies as expected.

Organization exposed to high risk

Increased firewall complexity, undoubtedly, is a major contributing factor to rulebase configuration errors. Some firewall administrators freely admitted that there still are rules remained unresolved or undetected because their rules are too complex and number of it is large that make it difficult to manually review and update the rules. From the research conducted by ISSA journal February 2009 volume 7 issue2 revealed that most of firewall administrators did not use an automated process to detect orphaned firewall rules. Detecting and deleting orphaned rules is trivial way to minimize complexity. Moreover, the huge majority of enterprises did not practice this simple technique. Organization with increased firewall complexity due to misconfiguration is likely to become vulnerable to threats. For example, server that store confidential data allows only access from internal network according to initial security policy but if that security policy has been changed, then firewall administrator misunderstood changed security policy and misconfigured firewall rule. Therefore, it might result in allowing access from untrusted network like Internet leading to data leakage.

The effective ways to reduce errors and increase performance of firewall

The task to configure correctly firewall rules is never easy because firewall administrator is not sure about effects of change to rules will be. As impact of rulebase complexity has been described earlier, the approach to decreasing or eliminating complexity, therefore errors will be reduced as well, is needed. The followings best practices are the best ways to prevent or reduce errors in firewall rules and optimize firewall performance also.

Deny all services and ports that are not needed by simply placing cleanup rule at the bottom of rule table.

Documenting every rule that has been added, deleted or modified due to change of security policy requirement.

Remove unused from the rule bases. To do this task, there are two choices: firewall rule set and traffic logs. Identifying unused rules by manually check every firewall rule comparing document that recorded about any change in rules and check rules that are no longer use is possible if a number of rules is small. The alternative is reviewing firewall traffic logs. By identifying the traffic in and out from the server over reasonable time duration, you will know which rules are no longer used by observing at usage of each rule. The rule having zero usage is unused rule that can safely be deleted.

Removing redundant rules that are covered by one or more succeeding rules is a bit more difficult. Here is the process for finding and removing these rules.

For each overlap found for a given rule, the rule can be removed,

If there is a rule below in the rule sequence that is the first rule that completely covers this rule and have the same rule action.

If there are one or more rules in the access-list that together cover this rule and have the same rule action.

If any of the rules that overlap this rule have a different action, then you cannot remove this rule.

Re-ordering rules by placing the heavily used rules near the top of the rule base and the least used rules near the bottom. This can increase overall firewall performance by putting the most frequently and least matched rules in the high-ranking and low-ranking position respectively because if those rules are put at the middle or bottom of rule, the firewall will take longer time to reach that rule for each packet.

Do regular and periodic review on firewall policy to verify that the rules in place deny any traffic that is not explicitly required for business purposes and make sure there are no rules that stem from malicious traffic, such as a port scan.

Use some commercial software that can detect conflicting rules such as shadowed rules, unused rules and orphaned rules so that firewall administrators can put less effort in manual check and can focus more on other things.

Conclusion

Firewall policy rules are one of most important element of network security system in many organizations. It plays the vital role in management of any organization security infrastructure. Thus the management of policy rule is a significant task for the firewall administrator. Making them know firewall rule errors resulting from their misconfiguration and providing them best practices can make them be more aware as well as enforce effectively security policy in order to meet business requirements.

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.