Policy Optimization

Policies Grow Out of Control

As thousands of tickets are processed by the security operations team, and organizational business objectives evolve over time, the underlying firewall rule bases become very large, intricate and complex. In fact, many of the rules and objects in a typical firewall rule base are obsolete. These unused rules represent a potential security hole and should be eliminated. Yet firewall administrators do not have an easy way of identifying these rules and objects with standard administration tools. This holds true not only for firewalls, but for related network security infrastructure as well.

In addition to security risks, a poorly maintained rule base can have a major impact on performance. The entire rule base is parsed from top to bottom with every network connection, and as the rule base grows, hardware requirements also increase (read more about best practices for optimizing firewall performance at our blog).

Rule and Object Usage Analysis

Untangle Your Rule Base

SecureTrack analyzes the actual usage of firewall rules and labels each rule as most used, least used, or unused. SecureTrack also analyzes object usage within each rule, indicating specific network objects and services that are no longer in use. It is advisable to review every unused rule and object, and remove those that are not necessary and may represent a security risk.

To improve firewall performance, SecureTrack makes recommendations regarding the position of specific rules - placing the heavily used rules at the top of the rule base and moving the least-used rules to the bottom. SecureTrack also indicates rule shadowing - places where rules overlap, or effectively "hide" other rules - so that you can re-position rules intelligently.