Albert, auditors love standards, right? Point them to the "Common Criteria", http://csrc.nist.gov/cc/. Warning, it's extremely dry reading.
It's a more complex way of saying "it depends". See Appendix B, which describes PPs (Protection Profiles), which would then be translated into, among other things, firewall rules. Quoting: "A PP defines an implementation-independent set of IT security requirements for a category of TOEs. Such TOEs are intended to meet common consumer needs for IT security. Consumers can therefore construct or cite a PP to express their IT security needs without reference to any specific TOE. 190 This annex contains the requirements for the PP in descriptive form. The assurance class APE, contained in clause 4 of CC Part 3, contains these requirements in the form of assurance components to be used for evaluation of the PP." So another way of putting this would be: A good firewall has sufficient rules to satisfy the requirements laid out in the PP for a given category of TOEs. That'll keep them busy for weeks ;) Regards Shawn Behrens Senior Security Engineer CCMSE CCSE CCNA CNE INTEGRALIS Your Trusted Security Partner 111 Founders Plaza 13th Floor East Hartford, CT 06108 USA Tel: +1 860 291 0851 Fax: +1 860 291 0847 [EMAIL PROTECTED] www.integralis.com > -----Original Message----- > From: Albert Higgins [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 06, 2004 10:14 AM > To: [EMAIL PROTECTED] > Subject: [FW-1] How many rules should a firewall have? > > > Hi, > > Our auditors want to know how many rules a firewall should have. > > I told them that 'it depends'. But they want me to answer > the following > question: > > How many rules should both the perimeter and internal > firewalls of a global > financial services organization have? > > I need to point them to a document or URL. Anyone have a > reference I could > use? > > Thanks!!!! > > _________________________________________________________________ > Mother's Day is May 9. Make it special with great ideas from > the Mother's > Day Guide! http://special.msn.com/network/04mothersday.armx > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > Please note that: 1. This e-mail may constitute privileged information. If you are not the intended recipient, you have received this confidential email and any attachments transmitted with it in error and you must not disclose, copy, circulate or in any other way use or rely on this information. 2. E-mails to and from the company are monitored for operational reasons and in accordance with lawful business practices. 3. The contents of this email are those of the individual and do not necessarily represent the views of the company. 4. The company does not conclude contracts by email and all negotiations are subject to contract. 5. The company accepts no responsibility once an e-mail and any attachments is sent. http://www.integralis.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
