Re: Sun/Solaris Checkpoint FW-1 Question

[Paul Armstrong <army () cyber com au>]

On Sun, Jun 27, 2004 at 01:13:20PM +0200, Alex Bihlmaier wrote:
> Marcus J. Ranum wrote:
> |>One of my customers is using the Checkpoint FW-1 Firewall and has a
> |>relativly large ruleset. (large as in large for just typing it down)
> |
> | You realize that's a bad sign for more than just operational
> | reasons, right?
>
> No, i don't realize.
> The former IT Administration made bad work.
>
> Or what do you mean? ;)

For those who don't get it, large rulesets have the following problems (off the
top of my head,  I'm sure mjr will fill in some more):
* Increased complexity
  + You're less likely to understand what's going on
  + It's harder to audit your rule base (you do audit your rules don't you) 
* Increased load on the machine
* A large chance of conflicting rules 
* Mistakes cause larger holes
  + e.g. "pass from any to DMZ web server" means that everything that goes
  through the machine can access that web server (unless you add even more
  rules to negate access from some/all of your subnets and then you have a
  maintenance nightmare when you add another subnet)

As well as minimizing the rulesets on one machine, breaking the ruleset accross
multiple machines can be useful:
* Vendor mistakes cause less of an effect
* Failures can be reduced to effecting a single segment of your network instead
  of giving all your networks an air-gap
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards