Automatic Policy Generation with Permissive Rule Analysis


One of my favourite activities, as CTO and founder, is meeting our users and talking to them about their needs and wishes in the areas of firewall policy management and beyond. It’s always nice to hear how SecureTrack is helping out and what our users like about it, it’s also useful to hear about things that don’t work and need improvement, but what I’m really after is requirements that lead to innovation.

A couple of years ago I was visiting one of our users, a mobile operator, and we were discussing a requirement they had to remove unused objects from the policy. At the time SecureTrack already provided rule usage analysis and this new requirement gave me the idea of mapping traffic logs onto objects within rules. This solution seemed right; unused objects would appear with zero hits and could then be safely deleted from the rule. The user also mentioned something about analyzing rules that are too wide which I kept in mind but didn’t have the bandwidth to deal with.

Anyway, we started brainstorming the object usage analysis requirement and came upon an interesting scenario:

Source Destination Service Action
HTTP Accept

Assuming all objects are used, can this rule be improved?

If you like puzzles stop here and think.

Well, obviously, A, B, X and Y cannot be deleted from the rule but, under certain conditions, there’s a possible improvement.

If A only talks to X and B only talks to Y then we can rewrite this rule as:

Source Destination Service Action
A X HTTP Accept
B Y HTTP Accept

We developed this idea this and came up with a model for increasing security by breaking up rules. Michael Peres also built a clever prototype just to see it working.

The idea was to take traffic logs and consolidate them into a rule base, kind of a bottom up approach for reverse engineering a rule base. Any rule can be analyzed as long as it’s permissive and logged.

The resulting rule base provides tighter security by splitting up the original rule into multiple finer ones. Ruvi would probably say we’re replacing Swiss cheese with one big whole by Swiss cheese with many smaller holes.

A few months ago I get a phone call from Dave Goodman and he says: “hey buddy, there’s this customer who needs to break out his ANY ANY ACCEPT rules on a Cisco Pix, can SecureTrack help?”

We got a few million syslogs from this customer, cleaned them up with sed and awk, constructed a rule base with 68 rules and sent it back to him. The guy was thrilled.

Our sales team has since encountered many more customers with permissive rules, actually it seems like almost every enterprise firewall has this problem. The security guys really want to fix it but they are terrified of shutting down a business critical service by mistake. This tool solves the problem:

  1. start with a permissive, logged rule
  2. collect logs and generate a new rule base
  3. place the new rule base above of the original rule
  4. keep on collecting logs and refine the rule base as much as needed

I’ll be going back to the guy who first suggested this, to show him this feature and talk about the next one.



2 Responses to “Automatic Policy Generation with Permissive Rule Analysis”

  1. Twitted by nebulasgroup Says:

    […] This post was Twitted by nebulasgroup […]

  2. Tufin Firewall Expert Tip #3: Best practices for optimizing firewall performance « Tufin's Blog Says:

    […] Use the Automatic Policy Generator (APG) to identify and remove unwanted traffic from the firewall. Read more about APG here. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: