There is no answer to that question. Check Point trainers say no more than 50 rules, but we have over 80, and I know more than one company that has 200+.
Company A might have 1 rule allowing inbound SMTP while company B might have 10 (one for each domain). Neither is wrong. Maybe your auditors are asking the wrong questions?!?! M2�... -----Original Message----- From: Nils Kolstein [mailto:[EMAIL PROTECTED] Sent: May 6, 2004 11:08 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] How many rules should a firewall have? > Hi, > > Our auditors are in the midst of things, and they want to > know how many rules a firewall should have. > > I told them that 'it depends'. I said that there is no > specific number > and a good firewall can have 500 rules, while a bad firewall > can have 3 rules. > > They nonetheless want a specific number and they want me to > answer the following question: > > How many rules should both the perimeter and internal > firewalls of a global financial services organization have? > > I need to point them to a document or URL. Anyone have a > reference I > could use? > > Thanks!!!! It surely depends, but a quick-and-dirty rule-of-thumb suggests: More rules means more compiling time means more system resources means etc. etc.. ;-)) More rules doesn't always have to imply that your network is more secure. It could also mean your network design is not clear on how traffic flows are running. Especially the latter is important.. Just my 2 cents ;-) Nils Kolstein ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
