Anomaly Classification
Depending on the type of Firewall rules anomaly, they can be classified as under,
Overridden Rules
A rule is overridden when a previous rule matches all the packets that match this rule, such that the overridden rule will never be activated. (R4 is overridden by R3)
R3 - TCP *.*.*.* any 161.120.33.40 80 Accept
R4 - TCP 140.192.37.* any 161.120.33.40 80 Deny
The above scenario is a critical error that may cause permitted traffic to be blocked and vice versa.
Correlation Rules
Two rules are correlated if the first rule in order matches some packets that match the second rule and the second rule matches some packets that match the first rule.
Correlation is considered an anomaly warning because if the order of the rules is reversed, resulting effect is different. (R1 and R3)
R3 TCP *.*.*.* any 161.120.33.40 80 Accept
R1 TCP 140.192.37.20 any *.*.*.* 80 Deny
Redundant Rules
A redundant rule performs the same action on the same packets as another rule such that if the redundant rule is removed, the security policy will not be affected.
Such a rules ordering does not contribute to filtering decision but in fact adds to size of rule base, processing requirements etc. (R7 & R6)
R6 TCP 140.192.37.* any *.*.*.* 21 Accept
R7 TCP 140.192.37.* any 161.120.33.40 21 Accept
Inelegant Rules
Rules that are subsets / ranges of other network elements in other rules. These network elements should be combined into groups / objects etc to reduce clutter
The Impact due to this is that it adds to processing and space requirements. (R1 & R2) – Port Group can be created.
R1 TCP 140.192.37.* any 161.120.33.40 22 accept
R2 TCP 140.192.37.* any 161.120.33.40 21 accept
Unused Rules / Objects
These are rules created for temporary reasons or related to servers or services that no longer exist
Unused Objects – These are objects created but that are no longer in use
The Solution
The approach to avoiding a problem like that stated above is multi pronged:
• Clean up and Maintain
• Multi Pronged Approach
• Rules / Traffic Analysis
• Log Analysis
• Automate
FRAT (Firewall Rulebase Analysis Tool)
A solution can be automated using a tool developed by us called FRAT. It is a Visual Basic tool. FRAT comes with standard firewall log parsing scripts, which will chew through giga bytes of logs, retrieve the relevant packet information. The output from the log parsing scripts is read by the tool to check against the rulesets and remove those, which were not being used.
It works by first doing a normalization of the firewall rules and logs. (As this tool is meant to work with different brands of firewalls.)
It performs traffic Analysis on the Logs thereby reporting which of the rules in the firewall rule base has not been hit. (Hit count = 0).
It further looks for firewall rulebase anomaly (based on the classification defined above) and provides for a listing of rules that can be deleted / combined.
Subsequently it generates commands to be uploaded on to the firewall that will be clear of all anomalies.
FRAT will also integrate with the SCR / RFC system to analyze all new Requests for change (RFC) and prevent incorporation of redundant / anomaly based rules.
