I don't think that you find an answer for your question. I guess that noone would say that there must be more that 1 and less than 100 rules or something else. I mean your are right, the real answer is `it depends´. But it depends on what? I guess that's maybe the question you have to answer and to explain. Try to argue from the business site, e.g. if you just want to allow the internal clients to use http to surf around the world, you probably need three rules, one for http, one for dns queries and of course one for the stealth rule. For every further business request you need more rules, that's the game.
Of course we all know that that a rule set with 500 rules is not easy to manage and maybe there are ways to reduce the number of rules, but as you said, a firewall with 500 rules can be more secure than a firwall with one rule allowing any traffic from anywhere with any protocoll.
I will following that threat to see what answers you will receive.
Good Luck anyway
:-)Horst
Albert Higgins wrote:
Hi,
Our auditors are in the midst of things, and they want to know how many rules a firewall should have.
I told them that ‘it depends’. I said that there is no specific number and a good firewall can have 500 rules, while a bad firewall can have 3 rules.
They nonetheless want a specific number and they want me to answer the following question:
How many rules should both the perimeter and internal firewalls of a global financial services organization have?
I need to point them to a document or URL. Anyone have a reference I could use?
Thanks!!!!
_________________________________________________________________ Watch LIVE baseball games on your computer with MLB.TV, included with MSN Premium! http://join.msn.com/?page=features/mlb&pgmarket=en-us/go/onm00200439ave/direct/01/
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
-- Horst Moll (Dipl.-Ing. TH) IT Sicherheitsberater __________________________________________________________________ BDG GmbH & Co. KG - Make IT safe. Stollberger Str. 307 D-50933 Koeln Tel: +49 (0)221-954231-0 Fax: +49 (0)221-954231-31 E-Mail: [EMAIL PROTECTED]
PGP Fingerprint: F012 EBD9 8872 A00B E444 659C 5B64 C172 A126 B78F ___________________________________________________________________
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
