Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Best Practices for Optimising Firewalls

Tufin Technologies : 04 March, 2010  (Technical Article)
Rueven Harrison of Tufin Technologies explains in 12 steps how to gain maximum performance through firewall optimisation
Are your firewalls overloaded? Symptoms of overloaded firewalls include high CPU, low throughput and slow applications. Before upgrading your hardware, it is worth checking whether or not your firewall configuration can be optimised. Here, Reuven Harrison CTO of Tufin Technologies gives firewall administrators some best practices for optimising firewalls for maximum performance and throughput.

Configuration optimisation techniques for firewalls can be divided into two groups: general best practices and vendor-specific, model-specific configurations. This article will focus on best practices. The following are eleven best practices for firewall administrators to use to optimise firewalls for better performance and throughput.

Best practice No. 1: Ensure outbound traffic is compliant with policies

Remove bad traffic and clean up the network. Bad traffic includes non-compliant, unauthorized or undesired traffic. Notify server administrators about servers hitting the firewall directly with outbound denied Domain Name System (DNS), NTP, SMTP, HTTP and HTTP Secure (HTTPS) requests, as well as dropped/rejected internal devices. The administrators should then reconfigure the servers not to send this type of unauthorized outbound traffic (thereby taking load off the firewall).

Resource Library:

* Open Storage at Work: New Ways to Use Solid State Drives to Optimize System Perf
* How to Improve MySQL Database Scalability
* Virtual Desktop: Opportunities, Challenges, and Successful Deployment
* Improving Application Delivery over WAN: Measure, Monitor, Manage

Best practice No. 2: Filter unwanted traffic on the router(s) instead of the firewall

Move the filtering rules for unwanted inbound traffic from the firewall to the edge router(s) to balance the performance and effectiveness of the security policy. To do this, first identify the top inbound dropped requests that are candidates to move upstream to the router as Standard Access Control List (ACL) filters. This can be a time-consuming process but it is a good method for moving blocks upstream to the router, thus saving firewall CPU and memory.

Then, if you have an internal choke router between your network and firewall, consider moving common outbound traffic blocks to your choke routers. This will free more processing on your firewall.

Best practice No. 3: Remove unused rules and objects

Remove unused rules and objects from the rule bases. While cleaning up an unwieldy rule base might sound like a daunting task, there are a variety of automated tools available that can assist with rule cleanup. These automated tools make firewall policy management a much more manageable endeavor.

Best practice No. 4: Reduce rule base complexity

Reduce rule base complexity and rule overlapping should be minimized. Again, there are tools available that can dramatically reduce the time and headache involved in cleaning up and simplifying the rule base.

Best practice No. 5: Handle broadcast traffic

If the firewall interface is directly connected to the LAN segment, you should create a rule to handle broadcast traffic (bootp, NetBIOS over TCP/IP, etc.) with no logging.

Best practice No. 6: Place the heavily used rules near the top of the rule base

Place the heavily used rules near the top of the rule base. Note that some firewalls (such as Cisco Pix, ASA version 7.0 and above, FWSM 4.0, and certain Juniper Networks models) don't depend on rule order for performance since they use optimized algorithms to match packets.

Best practice No. 7: Avoid DNS objects

Avoid objects requiring DNS lookups.

Best practice No. 8: Firewall interface settings should match switch and router settings

Your firewall interfaces should match your router and/or switch interfaces. If your router or switch is 100M bps half-duplex, your firewall should be 100M bps half-duplex. Your interfaces should be hard set to match; both should most likely be 100M bps full-duplex.

Your router/switch and firewall should both report the same speed and duplex mode. If your switch and firewall are both Gigabit Ethernet, they should both be set to auto-negotiate the speed and duplex. If your Gigabit interfaces do not match between your firewall and switch, you should try replacing the cables and patch panel ports. Gigabit interfaces that are not linking at 1000M bps full-duplex are almost always a sign of other issues.

Best practice No. 9: Separate firewalls from VPNs

Separate firewalls from VPNs to offload VPN traffic and processing.

Best practice No. 10: Offload features from the firewall

Offload Unified Threat Management (UTM) features from the firewall including: antivirus, antispam,
intrusion prevention system (IPS), and URL scanning.

Best practice No. 11: Upgrade to the latest software version

Upgrade to the latest software version. As a rule of thumb, newer versions contain performance enhancements but also add new capabilities—so a performance gain is not guaranteed.

Reuven Harrison is CTO at Tufin Technologies. Reuven co-founded Tufin in 2003, serving as CTO during the company's fast-paced growth. Responsible for Tufin's flagship product, Reuven leads Tufin's development staff, managing all product architecture. Reuven brings more than 17 years of software development experience, holding two key senior developer positions at Check Point Software, as well other key positions at Capsule Technologies and ECS. He received a Bachelor's degree in Mathematics and Philosophy from Tel Aviv University.

Tufin are exhibiting at Infosecurity Europe is the No. 1 industry event in Europe held on 27th - 29th April at Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo