Tell them five more than you have defined that way you have growing room :)
For a financial institution I would think that you would have an inbound rule open for HTTP or HTTPS at your DMZ on the perimeter firewall, and then the stealth rule and firewall communication rules, so maybe 5 or 6. Maybe a rule to allow an HTTP or SMTP proxy to get to the web, but this should be very small. Inside, well depends on what's going on, but you'll need rules for whatever OS you are running to communicate to a variety of servers. This could be generally 10 or 20, large organizations 100 or more. I would suggest that for perimeter firewalls at financial institutions, 10 rules. Internal firewalls at financial institutions probably 50 that way you have ample room to quarantine traffic to the explicit servers that need the access, but this could be 100's of rules to do explicit traffic correctly. Yet again, it depends.... Derek -----Original Message----- From: Security [mailto:[EMAIL PROTECTED] Sent: Thursday, May 06, 2004 11:42 AM To: [EMAIL PROTECTED] Subject: Re: [FW-1] How many rules should a firewall have? This seems to be an opinion question. Mine would be you need a rule to hide the firewall. you need a rule to communicate with the firewall. you need a rule to log everything else. other than that I do not see it as a need for the firewall. for a firewall to allow traffic is not the need of the firewall but the need of the network so I believe it is Three. ----- Original Message ----- From: "Albert Higgins" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 06, 2004 10:13 AM Subject: [FW-1] How many rules should a firewall have? > Hi, > > Our auditors want to know how many rules a firewall should have. > > I told them that 'it depends'. But they want me to answer the following > question: > > How many rules should both the perimeter and internal firewalls of a global > financial services organization have? > > I need to point them to a document or URL. Anyone have a reference I could > use? > > Thanks!!!! > > _________________________________________________________________ > Mother's Day is May 9. Make it special with great ideas from the Mother's > Day Guide! http://special.msn.com/network/04mothersday.armx > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
