How to Determine Your Firewall Rule Set Complexity

 
 
By Avishai Wool  |  Posted 2011-02-07 Email Print this article Print
 
 
 
 
 
 
 

Firewalls are used as the first line of defense by practically every corporation that is connected to the Internet. However, the protection these firewalls provide is only as good as the policy these firewalls are configured to implement. Here, Knowledge Center contributor Avishai Wool defines a measurement of firewall rule set complexity and offers some best practices for configuring a firewall rule set.

Firewalls are like security checkpoints; they serve as the first line of defense against threats. However, bad policies result in poor security and ineffective operations. It has been said that a firewall's security is only as good as the policy it is configured to implement. Yet more than 95 percent of firewall breaches are caused by firewall misconfigurations-not firewall flaws.

To study this situation, I obtained more than 80 Check Point and Cisco firewall rule sets from companies that use a leading firewall analyzer and determined a measure of firewall rule set complexity. My analysis consisted of 36 vendor-neutral configuration errors that create risk behind the firewall. Combined with the firewall rule set complexity I will describe, this analysis enabled me to conclude that firewalls are indeed poorly configured-and that the number of detected configuration errors is directly related to a rule set's complexity.

My preliminary research introduced a measure of rule set complexity defined by the number of rules, the number of objects and the number of interfaces. However, this measurement lacked discrimination between more and less complex rule sets as I initially planned.

Instead, I chose to define firewall complexity through a comparable measurement of Cisco firewalls and Check Point firewalls. Cisco firewalls include separate rule sets for each network interface, but Check Point firewalls have a single set of rules that applies to all interfaces-which means that, by itself, the number of rules is not an effective measure. Additionally, Cisco configurations do not have a separate object database, making the number of objects difficult to compare directly.




 
 
 
 
Ms. Allen received a BS in computer science from the University of Michigan, an MS in electrical engineering from the University of Southern California (USC), and an executive business certificate from the University of California at Los Angeles (UCLA). Her professional affiliations include ACM and IEEE Computer Society.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel