Defining Cisco and Check Point Firewall Complexity

By Avishai Wool  |  Posted 2011-02-07 Print this article Print

Defining Cisco and Check Point firewall complexity

Interestingly, these limitations made it simple to define the complexity of Cisco firewalls by counting the number of lines in the ASCII files and discounting a few lines of boilerplate standard to all Cisco firewalls. Thus, Cisco firewall complexity is defined as:

FC = #Lines - 50.

To define a comparable measure for Check Point, I conceptualized a "Check Point-to-Cisco converter," which would need to replicate the single Check Point rule set to all Cisco interfaces. Therefore, Check Point complexity must multiply the number of rules by the number of interfaces and then add the number of object definitions (since object definitions in the Cisco are global). Thus, Check Point firewall complexity is defined as:

FC = (#Rules X #Interfaces) + #Objects.

Based on these definitions, I found that the median FC value for the surveyed Check Point firewalls is 1,117 versus 315 for Cisco firewalls. How does your organization compare?

Ms. Allen received a BS in computer science from the University of Michigan, an MS in electrical engineering from the University of Southern California (USC), and an executive business certificate from the University of California at Los Angeles (UCLA). Her professional affiliations include ACM and IEEE Computer Society.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel