Re: [FW-1] How many rules should a firewall have?

Thu, 06 May 2004 14:03:49 -0700 

If you have 60 rules, tell them you should have 70.  Your just being
efficient!





                               Hal Dorsman
                               <[EMAIL PROTECTED]>       To:   [EMAIL PROTECTED]
                               Sent by: Mailing list for cc:
                               discussion of Firewall-1  Subject:    Re: [FW-1] How 
many rules should a firewall have?
                               <[EMAIL PROTECTED]
                               .US.CHECKPOINT.COM>


                               05/06/2004 10:35 AM
                               Please respond to Mailing
                               list for discussion of
                               Firewall-1





> Hi,
>
> Our auditors want to know how many rules a firewall should have.

Actually an absurdly simplistic and foolish question for them.

>
> I told them that 'it depends'.  But they want me to answer
> the following
> question:

Yes, it depends on the company security policy.  Firewalls do not set
policy,
they only enforce it.

>
> How many rules should both the perimeter and internal
> firewalls of a global
> financial services organization have?

It depends.  Tell them to give you a detailed company security policy
and you can build a rulebase to implement their policy.  Then you can
give them a count.  That is how many you should have. ;)

>
> I need to point them to a document or URL.   Anyone have a
> reference I could
> use?

Try "Building Internet Firewalls" by Chapman and Zwicky, available
at O'Reilly's (www.ora.com).  Chapter 11 covers security polices.

good luck

Hal

>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to