Defining Cisco and Check Point Firewall Complexity
Defining Cisco and Check Point firewall complexity
Interestingly, these limitations made it simple to define the complexity of Cisco firewalls by counting the number of lines in the ASCII files and discounting a few lines of boilerplate standard to all Cisco firewalls. Thus, Cisco firewall complexity is defined as:
FC = #Lines - 50.
To define a comparable measure for Check Point, I conceptualized a "Check Point-to-Cisco converter," which would need to replicate the single Check Point rule set to all Cisco interfaces. Therefore, Check Point complexity must multiply the number of rules by the number of interfaces and then add the number of object definitions (since object definitions in the Cisco are global). Thus, Check Point firewall complexity is defined as:
FC = (#Rules X #Interfaces) + #Objects.
Based on these definitions, I found that the median FC value for the surveyed Check Point firewalls is 1,117 versus 315 for Cisco firewalls. How does your organization compare?