John Pescatore on firewall complexity


Gartner’s John Pescatore wrote an interesting blog post today on firewall rule base complexity – “A Storm in Any Port” (firewall buffs will appreciate the pun – “Any Port”…)

We’ve been preaching about the complexity and inherent risks of large firewall rule bases for years, and it’s always great to receive validation from one of the most influential people in IT security.

Here are a couple of key quotes, in my opinion:

“… it is pretty rare to find an enterprise firewall policy that anyone is really sure about exactly what policy the rule set actually implements. Most firewall rule sets have mutated through incremental adds/drops/changes over the years and have turned into gargantuan linear lists that now have a life of their own.”

“Often you’ll find that easily 30% of the exceptions are no longer needed.”

The only thing missing from this great post is the solution – well, guess what:  we have it… Using Tufin SecureTrack, you can manage firewall policies proactively, and clean up unused firewall rules and objects. In some cases, we’ve seen customers with close to 50% of their firewall rule completely unused over a long period of time, out of hundreds of rules.

It’s time for some spring cleaning, folks…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: