Firewall Rule Set Complexity: Good Configuration Comes in Small Policies

Posted: August 16, 2011 in Industry Commentary, IT policy
Tags: , , ,

By Dr. Avishai Wool

Practically every corporation that is connected to the Internet uses firewalls as the first line of its cyber-defense. However, the protection these firewalls provide is only as good as the policy they are configured to implement. It has been said that the single most important factor of your firewall’s security is how you configure it, yet according to feedback provided by payment card brands and PCI auditing firms, 80 percent of firewalls examined in a breach investigation are misconfigured.

Curious about this phenomenon, I obtained rule-sets from a variety of corporations that use the AlgoSec Firewall Analyzer [ed. note: Wool is CTO of AlgoSec]. Considering 36 vendor-neutral configuration errors that create risk behind the firewall, I evaluated more than 80 Check Point and Cisco firewall rule sets. After determining a measure of firewall complexity for each vendor, I discovered that indeed firewalls are poorly configured – and that there is a strong correlation between a rule-set’s complexity and the number of detected configuration errors.

Serious errors are alarmingly frequent. For instance, Microsoft services, which are a vector to numerous Internet worms, are allowed to enter networks from the outside in 42 percent of the surveyed firewalls. Furthermore, among the most complex firewalls, I detected at least 20  errors in 75 percent of the configurations.

Complex firewall rule-sets are too difficult for their administrators to manage effectively. It is safer to limit the complexity of a firewall rule-set. For example, instead of connecting an additional subnet to the primary firewall, which in turn generates more rules and objects, a company can reduce its risk by installing a dedicated firewall to protect the new subnet.

As my research indicates, there are very few high-complexity rule sets that are well-configured. Furthermore, there is a clear correlation between rule set complexity and the number of detected errors. Thus, we can say that for well-configured firewalls, good things come in small packages.

Dr. Avishai Wool is CTO of AlgoSec, a network security policy management company. 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s