Periodically Auditing and Optimizing Security Policies
Since a network is constantly changing, old security policies may need to be deleted because they are not applicable anymore, and security policies need to be created for new users, devices, services, and applications on the network. As the security policy list expands, management is complicated, security risks may be hidden, and the firewall performance is affected. To solve this problem, you can periodically audit security policies. This is a must operation in some industries. For example, PCI DSS requires that security policies be audited once every half a year.
You are advised to periodically audit, simplify, and optimize security policies, which helps the firewall strike a balance between performance and security. The detailed operations are as follows:
- Understand the intent and background of each security policy, which can be obtained from the security policy name and the description field that reflects the security policy change history. If possible, confirm with the service side whether the security policy needs to be retained.
- Check the security policies whose description field is empty. You are advised to set the description field because an empty description field will complicate security policy management.
- Check temporary security policies and delete the expired ones. The icon
next to a temporary security policy indicates that the security policy has expired.
- Delete the unnecessary security policies that are disabled.
- Check for unused, duplicate, or inapplicable security policies. Duplicate security policies may exist if multiple users maintain security policies. Inapplicable security policies exist if devices or assets retire. No traffic will match these security policies. Therefore, you can identify these security policies by analyzing the security policies that are not matched. Then, delete redundant security policies based on the analysis result.
- Check for security policies whose matching conditions overlap. If the actions of such security policies are the same, combine the security policies. If the actions of such security policies are different, adjust the security policy configurations to ensure that the actions are proper.
- Check for security policies whose matching condition contains any. Check whether these security policies are necessary and whether specific matching conditions can be specified. Generally, a service type should not be specified as any.
- Check whether traffic of insecure services, such as FTP and Telnet, is permitted. The traffic of these services is transmitted in plaintext, which poses security risks.
- Check the security policies that are frequently matched. Move these policies up in the policy list, while ensuring the policy matching result is not affected. This can significantly improve the matching speed.
next to a temporary security policy indicates that the security policy has expired.- Check logs and optimize security policy configurations based on session logs and policy matching logs.
If a security policy is deleted, it is difficult to restore the specific configuration and its location in the policy list. If the security policy is disabled, you can quickly enable it if necessary. Therefore, before deleting a policy, you are advised to disable it to ensure that the deletion does not affect services.
It is difficult to analyze a security policy during audit and optimization. Huawei firewalls provide the smart policy function to implement policy redundancy analysis, policy matching analysis, and policy tuning on a single device. You can also use dedicated security policy management products, such as FireMon and AlgoSec.