To the original question: a) different rulebase for each discrete function (dmz, internet, extranet, vpn); b) NG introduced section titles. These are expandable/contractable sections of rules that can be divided any way that makes sense to you. For example, in our DMZ rulebase, we have an admin section at the top (for us to manage the fw, vrrp rule, monitoring, etc), a heavy hitter section, db related rules, application related rules, misc rules, network mgmt rules (to allow network engineers to reach and manage their devices thru fw), and finally general management rules and the cleanup section (not just cleanup rule but some specific ones before that to pick out specific drops cleanup drops separately).
On Mike's comment about "dangerous amount of rules for one policy", I have heard something akin to this many times, but the alternative in enterprise level areas is to either throw away single enforcement areas or discrete access control. For example, my aforementioned DMZ firewall pair controls access to/from/between web, app, and db servers, 350-400 at last count. That rulebase is on the order of 800 rules right now. In order to use that ridiculous 50 rule or less suggestion I've seen in CP literature, I would have to either create 80 dmz's, force a large enterprise to consolidate massive numbers of applications onto a couple of each type of server (web/app/db), or go completely zone based (all web tier can talk to all app tier on these 15 ports, all app tier can talk to all db tier on these 10 ports) and ditch discrete access alltogether. Might as well have a router instead.
So what's realistic answer here? I've had to take the approach of throw big enough hardware at it, and be intelligent about rule order and efficiency. From discussions with CP engineers, rules are matched according to 4-tuple as follows: protocol type (so limit rules with more than one protocol, split them up); service (limit number of services in a rule, any is inefficient basically being a list of all services first); destination (limit number of destinations in a single rule); and finally source. If you've kept from having rules with ping and tcp both, you've used specific services and a limited number of those, and kept from having any or a list of 85 hosts in the destination field, you're about as efficient as you can get.
Mike Feetham wrote:
That's a dangerous amount of rules for one policy. You may want to consider breaking it down, grouping enforcement points by traffic requirements, and building a few smaller security policies.
-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Chandraprakash Suryawanshi Sent: Tuesday, January 18, 2005 5:57 AM To: [email protected] Subject: [FW-1] Rules tidy
We have some 28 firewall modules and one management server and there are some 6 admins for that.
I need to document rules to keep the rule base in smart dashboard tidy as there are some 600+ rules
Any link, document or comment on this.
Regards
Chandra Prakash
Sr. Engineer- IT Security
CISSP, MCSE, CCNA, CCSA
TNS India
Plot no 17, Vanenberg IT Park
Madhavpur, Hyderabad
Mobile---98852-84071
040-55758000 ext.584
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
