Firewalls are like security checkpoints; they serve as the first line of defense against threats. However, bad policies result in poor security and ineffective operations. It has been said that a firewall's security is only as good as the policy it is configured to implement. Yet more than 95 percent of firewall breaches are caused by firewall misconfigurations-not firewall flaws.
To study this situation, I obtained more than 80 Check Point and Cisco firewall rule sets from companies that use a leading firewall analyzer and determined a measure of firewall rule set complexity. My analysis consisted of 36 vendor-neutral configuration errors that create risk behind the firewall. Combined with the firewall rule set complexity I will describe, this analysis enabled me to conclude that firewalls are indeed poorly configured-and that the number of detected configuration errors is directly related to a rule set's complexity.
My preliminary research introduced a measure of rule set complexity defined by the number of rules, the number of objects and the number of interfaces. However, this measurement lacked discrimination between more and less complex rule sets as I initially planned.
Instead, I chose to define firewall complexity through a comparable measurement of Cisco firewalls and Check Point firewalls. Cisco firewalls include separate rule sets for each network interface, but Check Point firewalls have a single set of rules that applies to all interfaces-which means that, by itself, the number of rules is not an effective measure. Additionally, Cisco configurations do not have a separate object database, making the number of objects difficult to compare directly.