RE: Rationale for BSD (I)PF rule order?

[Paul Robertson <proberts () patriot net>]

On Mon, 12 May 2003, Ben Nagy wrote:

> Maybe I'll add a new principle when teaching my 'Dao of Good Security' - "if
> your security policy is complex then it isn't working".

We once had an employee who's last employer would put in a rule to allow 
something upon request, then remove it at the end of the request period.  
He couldn't see why so much change in a security device's configuration 
was a bad thing.  They often made 100 ruleset changes a day!

Having lots of rules isn't necessarily a bad thing, if they don't change 
much over time.  The issue is keeping up with a network that *does* change 
over time.  

Complexity isn't necessarily about number of rules, which is why I thought 
the "first, last or best" match thread was interesting.  I don't know if 
it's "your policy isn't working" so much as it's "Your policy doesn't live 
in the real world."

If your policy forces 100 rule changes a day, it's likely not a good 
real-world policy.  If you have 30,000 rules, and you're one organization, 
you *may* have a good policy, but it may be tedious more than complex.

If it takes more than a minute to decide if a 
packet/connection/application can get from A<->B, it's likely time for a 
redesign.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards