Firewall Wizards mailing list archives
RE: Rationale for BSD (I)PF rule order?
From: Paul Robertson <proberts () patriot net>
Date: Mon, 12 May 2003 12:46:49 -0400 (EDT)
On Mon, 12 May 2003, Ben Nagy wrote:
Maybe I'll add a new principle when teaching my 'Dao of Good Security' - "if your security policy is complex then it isn't working".
We once had an employee who's last employer would put in a rule to allow something upon request, then remove it at the end of the request period. He couldn't see why so much change in a security device's configuration was a bad thing. They often made 100 ruleset changes a day! Having lots of rules isn't necessarily a bad thing, if they don't change much over time. The issue is keeping up with a network that *does* change over time. Complexity isn't necessarily about number of rules, which is why I thought the "first, last or best" match thread was interesting. I don't know if it's "your policy isn't working" so much as it's "Your policy doesn't live in the real world." If your policy forces 100 rule changes a day, it's likely not a good real-world policy. If you have 30,000 rules, and you're one organization, you *may* have a good policy, but it may be tedious more than complex. If it takes more than a minute to decide if a packet/connection/application can get from A<->B, it's likely time for a redesign. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Rationale for BSD (I)PF rule order?, (continued)
- RE: Rationale for BSD (I)PF rule order? Stewart, John (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Gary Flynn (May 10)
- Re: Rationale for BSD (I)PF rule order? Darren Reed (May 10)
- Re: Rationale for BSD (I)PF rule order? Avishai Wool (May 11)
- Re: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- RE: Rationale for BSD (I)PF rule order? Stewart, John (May 09)
- Re: Rationale for BSD (I)PF rule order? Holger Kipp (May 11)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 11)
- Re: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Ben Nagy (May 12)
- RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- RE: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- RE: Rationale for BSD (I)PF rule order? Gwendolynn ferch Elydyr (May 12)