Ah! A subject near and dear to my heart. Since this is likely to be lengthy, I’ll reply on separate occasions for each general subject.
First of all, perimeters get porous only partially because of business demands. What is more common is that few organizations have a formal firewall exception and review policy – and/or FAIL to follow up on it.
To wit: One place I worked for had a checkpoint firewall-1 with over 200 rules. To cope with the increasing load on the firewall, the initial attempt was to shut down logging on most rules. When I noticed this, I suggested that we (Ok, me and the firewall administrator) go through all of the rules and analyze them for current need, duplication, reality check (rules that applied to long-gone objects). This was an iterative process – too hard to do in one fell swoop – but, the result was to cut the number of rules in half.
The other part of this was the lack of a formal policy of who gets to specify rules, and what their expected lifetime might be. I’ve gotten management at a number of places to abide by (and support) the following policy:
1) All requests for a firewall “hole” must be accompanied by a business justification, and be approved by a director-level manager or above – who will be listed as the responsible business owner for that rule.
2)All requests must include the technical owner’s name and phone number.
3) All requests must include an estimated closure date for the rule.
Rule implementation must include the business/technical owners’ name and the expiration date of the rule.
Rule implementation must include a search for relevant similar rules so as to group similar functions under the same rule (example: 1 rule for outbound SSH, all users fit in there)
There must be a semi-annual or annual formal review of all rules – supported by, and participated in by management.