I manage two fairly small networks, each running their own firewall. I inherited the jumbled mess about a year ago when the previous network administrator left and I hired on. One firewall's rule set is very small and succinct. Until days before I came on board, it's rule set was permit IP any any. So the rules running now are recent and specific to what is happening. Not a lot of change on this network, and that is a good thing. The other network is the other end of the spectrum. While it wasn't sporting a rule of permit IP any any, it does have a plethora of rules. Many of them overlap, meaning they seem to do the same thing, just stated differently. Time permitting, I have tried to investigate the various rules to understand what they are doing. If I feel like the rule is redundant to another or otherwise not needed, and no one can tell me differently, I will disable the rule for a while. If no one complains for a few months, I will delete it entirely. I keep an eye on hit counts, and anything that has sat a zero since I have been here is a good candidate for me to investigate. So, far I have been lucky and not disabled anything actively permitting traffic. FSM would be a great tool for me, but justifying the cost to my customer is the challenge. So far, I am not winning that battle. I like the idea planglois posed above and may "borrow" some of it. 
↧
Re: Rule Creep
↧