If the exception is the policy, you’re doing it wrong
From NATHER’S LAW OF POLICY MANAGEMENT on the Tufin blog:
That last one is of particular interest to me today, as I saw a client recently with a rule base for his firewall that was around 1000 rules long. When looking at his compliance results for policy and risk he was showing me hundreds of rules he wanted to mark as exceptions. I was puzzled – almost two thirds of his rule base consisted of exceptions to the compliance policies they were trying to enforce.
Bottom line: if your exceptions are out of hand, it’s time to rethink your compliance plans or realign operations with compliance. It is one thing to lose track of how policy aligns with reality, another to not do anything about it.
With any kind of positive security policy (defining what is allowed, rather than looking for what is not), you always need to manage exceptions. Michael Hamelin refers to Wendy’s point that “For every configuration there is an equal and opposite exception.” posited in a Dark Reading column back in October. Wendy is exactly right, and the reality is that firewall operational platforms – which the likes of Tufin, AlgoSec and Firemon provide – are more and more prevalent because firewall policies have become unmanageable.
And it will get worse as folks continue migrating to the NGFW with application-centric policies. So it’s time to get on top of your rule bases, before things really get ugly. I will be doing some research on this later in Q1.