> -----Original Message----- > From: Mitchell Rowton [mailto:[EMAIL PROTECTED] > Sent: 6. mai 2004 17:04 > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] How many rules should a firewall have? > > > I would think that a good firewall may have 3 rules (permit > internet and > e-mail, deny everything else) while a bad firewall that needs > 500 lines > to permit everything could be too loose. But thats too generic to be > useful. Probably the best thing to do is to develop a > firewall policy. > You can then reference the number of needed applications. > And what part > of the network they need to traverse. > > You may get away with telling them what is allowed through > the firewall > instead of the actual rules that allow this (if you document it in a > policy or standard). You might be able to quote some of the papers > below. > > Developing a Local Firewall Security Policy > http://www.securitydocs.com/thread/1458 > > Building Your Firewall Rulebase > http://www.securitydocs.com/thread/403
I looked at http://www.spitzner.net/rules.html and read: "The Security Architecture As a security administrator, our first step is converting the security policy to security architecture. Lets now go through and convert each security policy bullet into technical implementation. 1. The first one is easy. Anything from the internal network is allowed outbound to the Internet. " I must say that I disagree in this. Allowing everything from internal networks to internet is not a very good idea IMHO. Only accept what you need, not things that could be nice to have. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
