Security (Firewall) Optimization
Least Privilege Firewall Optimization
Palo Alto, Cisco, Meraki & Fortinet Firewalls
Fine tune your firewall security rules and clean up old configurations with Crossconnect Engineering!
Palo Alto • Cisco Meraki • Fortinet
Unchecked Organic Rule Growth is a Vulnerability
Over time, firewall rule bases tend to become large and complicated. They often include rules that are either partially or completely unused, expired or shadowed. Firewall rules are also often imported from an old firewall verbatim due to the organizational fear of breaking production traffic. In other cases, rules are simply too non specific or “loose” to be effective against attackers – This often happens because immediate business requirements take priority over long-term security needs
Why Should You Be Concerned?
“Loose” rules – such as those containing “any” in either direction, those matching entire subnets, or those not matching a port/protocol – may allow unauthorized access or traffic, exposing your network to potential security breaches. Malicious actors can exploit vulnerabilities and gain entry to sensitive information or systems.
Unnecessary rules create complexity in managing firewall security controls, resulting in a range of challenges in security management
Rules that are not utilized or improperly configured present notable security hazards. Improperly configured rules can allow malicious actors to access your network. Outdated rules—those that are not aligned with current security requirements and traffic patterns—cannot protect against attacks. Hackers can exploit outdated rules to gain access to your network.
Firewall optimization process
Crossconnect’s Least Privilege Approach
Our Firewall Experts Will:
Rank rules by qualitative impact ranging five levels “No Issues” to “Critically Insecure”: Least Privilege / Lack of Narrowness, Incorrect/ Insecure Configuration, Unused Rules
Use logging to identify & safely disable and remove unused rules
Manually review high-risk rules identified above
Schedule meetings with client to review use cases of high-risk rules and create a remediation plan
For “loose” rules, use a three-phase process to create “tighter” rules above the loose rule, eventually eliminating the loose rule after logging indicates it is no longer in use
(In some rare cases, some rules may be too “loose” to be narrowed to least-privilege in three phases. In these situations, these rules will be individually identified, discussed with the client, and if desired, narrowed for an extended time at additional cost.)
Pricing
Pricing is by Number of Security Policy Rules
Less than 10 Rules (5 Weeks)
$2,700
10-25 Rules (5 Weeks)
$6,160
25-50 Rules (6 Weeks)
$12,00
50-75 Rules (7 Weeks)
$17,850
75-100 Rules (7 Weeks)
$23,700
100-150 Rules (7 Weeks)
$35,400
150-200 Rules (8 Weeks)
$47,100
200-250 Rules (9 Weeks)
$59,100
250-300 Rules (8 Weeks)
$70,500
If near the edge of a security policy rule tier, additional rules may be added to the lower tier at $270/security rule. Example: 52 rules may be purchased at $12,540. Contact us for a custom quote on anything over 300 Rules