Thanks for your response, The point you make about a firewall not telling you that you have left a whole in the security is useful. What i am trying to find out is common issues where administrators have configured a rulebase that looks correct and may work correctly, only to discover at a later date they have left a wide open hole somewhere. Either because rules function differently to expected they didn't test every possible rule boundary.
The point I was hoping to get feedback on was altering an existing rulebase to incorporate changes in an organisations security policy. Should the whole rulebase be reworked or can extra rules just be added to the end? Then comes the issue of performance, should rules that permit the most amount of traffic be given priority over more defined rules? Any comments welcome. Regards Richard >From: "Hiemstra, Brenno" <[EMAIL PROTECTED]> >To: "'Richard Saddington'" <[EMAIL PROTECTED]>, >[EMAIL PROTECTED] >Subject: RE: How easy is it to configure a rulebase. >Date: Wed, 5 Dec 2001 11:22:18 +0100 > >Richard, > >In my opinion it's not the way "how easy it is" to configure >a rulebase. I don't care how easy as long as it's good, functional >and more of all secure. > >I think firewall administration is not for anyone that knows >how to make a rule in CP FW-1. You need to know more >to setup a right rulebase. You need to know more about >what service you are going to allow and what the implications >are on the firewalls / server. > >Firewall administration doesn't need to be made easy because >a firewall will not tell you that you made a wrong rule that opens >up your whole network. Firewall administration needs to be made >thorough and secure. A good viewable GUI is an advantage but >if the firewall itself lacks security that doesn't make it more secure. > >Administrating a firewalls ruleset in a plain text file maybe a >pain in the ass if the rulebase is big but then you will learn >administrating firewalls the hardway (in my opinion). Its still >possible to openup the rulebase more then it need though! > >Just my thoughts.. > >Regards, > > >Brenno > > > -----Original Message----- > > From: Richard Saddington [SMTP:[EMAIL PROTECTED]] > > Sent: dinsdag 4 december 2001 13:59 > > To: [EMAIL PROTECTED] > > Subject: How easy is it to configure a rulebase. > > > > Hi All, > > > > I am an undergrad student researching firewall technologies, >specifically > > > > how rulebases are configured to filter packets. > > > > What I would like to know is problems people have had configuring rule > > tables, e.g. getting the rules in the right order, difficulties > > implementing > > the security policy/changes in security policy etc. > > > > The two products I have been looking at are CP's Firewall-1 and the > > Netscreen-100. Any info on rulebases on these firewalls would be most > > useful. > > > > Cheers > > Richard > > > > > > > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at >http://explorer.msn.com/intl.asp > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
