Richard, The best way to test your rulebase is to audit your network/ firewall to see that you have made the right rulebase configuration.
If you see awkward open ports you probably made a mistake in the config of your rulebase. And maybe your rulebase is pretty strict but for example the product Checkpoint Firewall 1 has some default open ports... So these are also something you must know and disable to be sure you don't get them back in your audit. Most firewalls work "per rule" basis. They receive a packet and they go through the rulebase and let the packet through on the first corresponding rule it applies too. (some firewall packages work in a slight different way for example IPFilter without the "quick" option). A rulebase can always be altered and in pratice this is a very common thing that happens. Rulebases always change because new services needs to be opened or something like that. The best pratice in building up a rulebase with first the "specific" rules and then the more "open" rules. If you are satisfied with how the rulebase is build up you can just add the additional rules to the rulebase but be sure to place the rules not on the end but more where the rules are in direction of packets. So more specific rules first and then more open rules. Performance isn't a problem if you scale your firewall correctly. Most firewalls load their rulebase in their memory so that they can route the packets as fast as possible. If you have a very fast internet connection you must scale your firewall too and maybe add more firewalls and build a cluster so you can load balance and load share the connections to and from your network. Anyway... I hope that I gave you some more info for your research. Regards, Brenno > -----Original Message----- > From: Richard Saddington [SMTP:[EMAIL PROTECTED]] > Sent: woensdag 5 december 2001 20:53 > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: How easy is it to configure a rulebase. > > Thanks for your response, > > The point you make about a firewall not telling you that you have left a > whole in the security is useful. What i am trying to find out is common > issues where administrators have configured a rulebase that looks correct > and may work correctly, only to discover at a later date they have left a > wide open hole somewhere. Either because rules function differently to > expected they didn't test every possible rule boundary. > > The point I was hoping to get feedback on was altering an existing > rulebase > to incorporate changes in an organisations security policy. Should the > whole > rulebase be reworked or can extra rules just be added to the end? Then > comes > the issue of performance, should rules that permit the most amount of > traffic be given priority over more defined rules? > > Any comments welcome. > > Regards > Richard > > >From: "Hiemstra, Brenno" <[EMAIL PROTECTED]> > >To: "'Richard Saddington'" <[EMAIL PROTECTED]>, > >[EMAIL PROTECTED] > >Subject: RE: How easy is it to configure a rulebase. > >Date: Wed, 5 Dec 2001 11:22:18 +0100 > > > >Richard, > > > >In my opinion it's not the way "how easy it is" to configure > >a rulebase. I don't care how easy as long as it's good, functional > >and more of all secure. > > > >I think firewall administration is not for anyone that knows > >how to make a rule in CP FW-1. You need to know more > >to setup a right rulebase. You need to know more about > >what service you are going to allow and what the implications > >are on the firewalls / server. > > > >Firewall administration doesn't need to be made easy because > >a firewall will not tell you that you made a wrong rule that opens > >up your whole network. Firewall administration needs to be made > >thorough and secure. A good viewable GUI is an advantage but > >if the firewall itself lacks security that doesn't make it more secure. > > > >Administrating a firewalls ruleset in a plain text file maybe a > >pain in the ass if the rulebase is big but then you will learn > >administrating firewalls the hardway (in my opinion). Its still > >possible to openup the rulebase more then it need though! > > > >Just my thoughts.. > > > >Regards, > > > > > >Brenno > > > > > -----Original Message----- > > > From: Richard Saddington [SMTP:[EMAIL PROTECTED]] > > > Sent: dinsdag 4 december 2001 13:59 > > > To: [EMAIL PROTECTED] > > > Subject: How easy is it to configure a rulebase. > > > > > > Hi All, > > > > > > I am an undergrad student researching firewall technologies, > >specifically > > > > > > how rulebases are configured to filter packets. > > > > > > What I would like to know is problems people have had configuring rule > > > tables, e.g. getting the rules in the right order, difficulties > > > implementing > > > the security policy/changes in security policy etc. > > > > > > The two products I have been looking at are CP's Firewall-1 and the > > > Netscreen-100. Any info on rulebases on these firewalls would be most > > > useful. > > > > > > Cheers > > > Richard > > > > > > > > > > > > _________________________________________________________________ > > > Get your FREE download of MSN Explorer at > >http://explorer.msn.com/intl.asp > > > > > > _______________________________________________ > > > Firewalls mailing list > > > [EMAIL PROTECTED] > > > http://lists.gnac.net/mailman/listinfo/firewalls > >_______________________________________________ > >Firewalls mailing list > >[EMAIL PROTECTED] > >http://lists.gnac.net/mailman/listinfo/firewalls > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
