Firewall Wizards mailing list archives
Re: Sun/Solaris Checkpoint FW-1 Question
From: Paul Armstrong <army () cyber com au>
Date: Wed, 7 Jul 2004 14:35:30 +1000
On Sun, Jun 27, 2004 at 01:13:20PM +0200, Alex Bihlmaier wrote:
Marcus J. Ranum wrote: |>One of my customers is using the Checkpoint FW-1 Firewall and has a |>relativly large ruleset. (large as in large for just typing it down) | | You realize that's a bad sign for more than just operational | reasons, right? No, i don't realize. The former IT Administration made bad work. Or what do you mean? ;)
For those who don't get it, large rulesets have the following problems (off the top of my head, I'm sure mjr will fill in some more): * Increased complexity + You're less likely to understand what's going on + It's harder to audit your rule base (you do audit your rules don't you) * Increased load on the machine * A large chance of conflicting rules * Mistakes cause larger holes + e.g. "pass from any to DMZ web server" means that everything that goes through the machine can access that web server (unless you add even more rules to negate access from some/all of your subnets and then you have a maintenance nightmare when you add another subnet) As well as minimizing the rulesets on one machine, breaking the ruleset accross multiple machines can be useful: * Vendor mistakes cause less of an effect * Failures can be reduced to effecting a single segment of your network instead of giving all your networks an air-gap _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Sun/Solaris Checkpoint FW-1 Question mlh (Jul 02)
- <Possible follow-ups>
- Re: Sun/Solaris Checkpoint FW-1 Question Paul Armstrong (Jul 08)