Security Policy Optimization

Policies Grow Out of Control

As thousands of tickets are processed by the security team, and organizational business objectives evolve over time, the underlying policy configurations (firewall rulebases, router and switch ACLs, etc.) become very large, intricate and complex. In fact, many of the rules and objects in a typical firewall or router policy are obsolete. These unused rules represent a potential security hole and should be eliminated. Yet administrators do not have an easy way of identifying these rules and objects with standard administration tools.

In addition to security risks, a poorly maintained policy can have a major impact on performance. The entire rule base is parsed from top to bottom with every network connection, and as it grows, hardware requirements also increase (read more about best practices for optimizing firewall performance at our blog).

Rule and Object Usage Analysis Rule and Object Usage Analysis

Untangle Your Rule Base

SecureTrack analyzes the actual usage of policy rules and labels each rule as most used, least used, or unused. SecureTrack also analyzes object usage within each rule, indicating specific network objects and services that are no longer in use. It is advisable to review every unused rule and object, and remove those that are not necessary and may represent a security risk. To improve firewall performance, SecureTrack makes recommendations regarding the position of specific rules - placing the heavily used rules at the top of the rule base and moving the least-used rules to the bottom. SecureTrack also indicates rule shadowing - places where rules overlap, or effectively "hide" other rules - so that you can re-position rules intelligently.

Eliminate Overly Permissive Rules

Another way to tighten up overly-permissive policies is by analyzing network traffic to identify the precise requirements for your business. SecureTrack’s Automatic Policy Generator reviews the security policy and assigns a permissiveness score to every rule. Based on in-depth analysis of network traffic, APG defines a comprehensive firewall policy that ensures business continuity while eliminating permissive rules and delivering superior performance. Learn more about APG.

Copyright © 2003-2012 Tufin Software Technologies Ltd.