The issue here is that you need a real firewall audit. I happen to have *plenty* of experience with this. Here is how you do it on a production firewall:

1) Approach the system owners, starting with the edge servers (closest to the internet) and ask for a system security plan that provides specific details on what the box does and what needs to be accessed. If they don't have one, ask them to create one. If they resist, be sure they understand that they own the risk should something go wrong.

2) Once you have all the technical specifics, go through the ruleset and remove ACLs but place comments in there stating why you've done so. If there are no issues after a few months, you can remove the commented out ACLs and the explanations.

3) When you wrap up the audit, a good idea would be to run a vulnerability assessment tool (like Nessus) to see what your security stance is. If you find it unacceptable, you'll have enough organizational knowledge to suggest changes to lower risk.

This is an involved process that will take time. You certainly don't want to start removing ACLs from a production PIX without fully understanding the impact.

Also note that this is a simplified view of the process. You'll need to consider regulatory compliance issues when doing this and for the operational end of the equasion.

--TH13