A security rule base that evolves over several years has the characteristics of spaghetti

(29/05/2009)

Three years ago I bought a house in the south of Italy and since then I have been trying to immerse myself in the local culture. It recently occurred to me that actually there was a great deal of similarity between the nuances and national characteristics of Italy and the challenges faced by security professionals today.

A rule base that has evolved over several years with several vendors’ products and many different security administrators will certainly resemble the characteristics of spaghetti. When you start pulling on one end you never know what the consequences are.

Even in the south of Italy companies now-a-days need to improve the efficiency of their firewall operation and make what they have go faster and further as budget for hardware or software upgrades are under close scrutiny. The ability to understand which rules are most frequently used, enable the security professional to improve performance by ensuring a close match between rule ranking and rule usage. This is even more the case when non used rules and shadowed rules can be clearly identified. These classes of rules only add complexity, degrade performance and increase business continuity risk.

For all of you who have driven in the south of Italy you will know that all traffic laws, which by the way are still contained in the Italian criminal not the civil code, are merely suggestions to be adhered to or ignored depending on the situation.

Such is often the case when people are writing new or changing existing security rules. We all know that we should include a comment or a clean up rule but sometimes expediency makes us ignore these good practice guidelines.

The need to meet with a growing number of compliancy requirements either internal audit reviews, external audit demands such as SOX or Basel II or from industry specific requirements such as PCI-DSS is far more costly if a history of indiscipline has existed.
It is of little use spending money to optimise your firewall infrastructure and enable automatic compliance if you do not deal stop subsequent non compliance. The ability to flag non compliance to the relevant IT/security/compliance/business manager protects your investment, maintains your firewall estate’s performance and ensures cost free ongoing compliance.

One local habit that I have taken the most easily to is sleeping in the afternoon. The opportunity to wind down and take a nap after a nice lunch is a great way to recharge your batteries. I think that this should be added as a criterion for any new security investment. “Does this investment allow me to take a nap in the afternoon?”

In summary it is clear to me that companies are looking for ways to remove cost from firewall administration whilst adding performance. The ever increasing demands of compliance from all quarters means that the delivery of compliance needs to be automated and assured. To ensure ongoing OPEX reduction and operational efficiency, rule changes going forward need to be assessed against and internal or external best practice standard automatically and violations flagged to the responsible manager.

Related topics:  Firewall   Security management and policies 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources