Firewall Wizards mailing list archives
RE: Rationale for BSD (I)PF rule order?
From: Paul Robertson <proberts () patriot net>
Date: Mon, 12 May 2003 15:39:51 -0400 (EDT)
On Mon, 12 May 2003, Marcus J. Ranum wrote:
Paul Robertson wrote:Having lots of rules isn't necessarily a bad thing, if they don't change much over time.I don't agree. Many rules means that there is a complex policy with
You're allowed to disagree, but I'll stand by my statement...
many exceptions. That usually means that the security policy was created by office politics and organizational leverage, not by good security design. Which usually means that the firewall is there to slow traffic down a little bit, and log stuff, but isn't doing much for security.
If you're a large organization with a well-managed external DNS, and you're piping that through a filter to business units, you could have 4x <units> rules to allow UDP and TCP to your external DNS over the WAN (assuming 2 servers per unit)- that gets you to "lots of rules" pretty darned quickly if you have lots of business units. Add a few "extranet" connections to specific machines (benefits for each HR department for example) and that total goes up pretty quickly. So, even in an environment where you've got a good default deny policy, if you're opening specific holes due to business requirements, you'll end up with hundreds or thousands of rules quite quickly. Especially if you're transiting traffic for business units to put on their own DMZ, but still providing an overall organizational security stance.
If I were to guess, 90% of the firewalls I've seen in the last 10 years fit into the category of "you've got to be fooling yourself!"
I agree, and that matches my experience, but that's not because of the number of rules... Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?), (continued)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Gary Flynn (May 10)
- Re: Rationale for BSD (I)PF rule order? Darren Reed (May 10)
- Re: Rationale for BSD (I)PF rule order? Avishai Wool (May 11)
- Re: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- Re: Rationale for BSD (I)PF rule order? Holger Kipp (May 11)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 11)
- Re: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Ben Nagy (May 12)
- RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- RE: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- RE: Rationale for BSD (I)PF rule order? Gwendolynn ferch Elydyr (May 12)