If information security would be a color, it would most definitely be gray. Information security, like life in general, is rarely black and white. Ask any information security professional, most questions about security and privacy asked are answered in the same manner: it depends.
That is precisely what is frustrating for many people when dealing with security and privacy, its vagueness and abstractness. People want clear-cut and well-defined answers. But risk rarely is so polite to allow itself to be answered in such a distinct manner.
Many security professionals run into this particular wall when dealing with auditors. Auditors often deal with
security issues in a black and white manner, often via clipboards and checklists. Auditors will ask a plethora of yes/no questions, report their findings, and then the fun begins. By way of example, the answer of its depends recently caused agitation to an auditor in response to the question, of: how many rules should a corporate gateway firewall have?
The truth be told, an extemporaneous answer could have be given by simply stating a number. Replying “I have found that best practices is that corporate firewalls should have no more than 57 rules” would have been accepted and the auditor would have been content. The auditor would then perform a simple if/then/else audit. If the firewall has less than 57 rules, then that is fine. Else issue a finding report. Ultimately, such an approach is a major disservice.
But the question remains: how many rules should a firewall have? That question will be answered, but first, a bit of preamble. Before a firewall can be audited, it must have something to be used to audit against. Similar to plotting something, one needs points on the axis to plot, namely x, y and z. For example, Bob weights 175 pounds, is he fat? If his weight is x, then y and z are his height and age. So if Bob is 5’1 and 12 years old, he is morbidly obese. If he is 37 and 6’2, he is in excellent shape.
When it comes to firewalls, the y and z on the axises are the corporate policies and procedures (note that there is often many more variables to consider). Policy is a critical element of the effective and successful operation of a firewall. A firewall can’t be effective unless it is deployed it in the context of working policies that govern its use and administration.
Noted security guru Marcus Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do”. Ranum describes a conundrum faced by many, they want the answers but have no polices.
The Mythical firewall rule number
So what is the number of rules a firewall should have? The number of firewalls should be the amount to precisely map an organizations Internet security policy to their firewall rulebase. If no Internet connectivity is allowed, then there should be but one rule, Any/Any/Deny. For a large financial services company, with multiple DMZ, VPN, applications, external service providers, services, customers, proxies, and more; the number of rules could easily exceed 150.
In addition, there are many ways to create a rule depending on the style. Some rules can be quite granular, others more explicit. SMTP can be mapped to individual mail servers requiring a up to 10 rules, or a groups of servers, requiring but a single rule
It is hard to find a definitive reference stating that a firewall should have no more than X rules. In fact, Check Point won’t touch the question. The closest one can find is where Lance Spitzner writes in Building Your Firewall Rulebase (www.spitzner.net/rules.html) that a good rule of thumb is to have no more then 30 rules. With 30 rules, it’s relatively easy to understand what is going on. But between 30 and 50 rules, things become confusing, the odds grow exponentially that something will be misconfigured. Anything over 50 rules and you end up fighting a losing battle.
As Einstein stated “keep everything as simple as possible, but no simpler”. Keeping a rule base simple with a limited numbers of rules makes auditing the firewall much easier. Be it firewalls or programming in general, simplicity is the ultimate goal. In an audit, the auditor attempts to map the data flows traversing the firewall. Once the rule base grows over 100 rules, determining those data flows becomes extremely difficult. Spiztner astutely notes that once the rulebase hits the 200 mark, an organization needs to take a serious look at their overall security architecture, and not just the firewall rulebase.
It ultimately comes down to the fact that the simpler the rulebase the less likely one will be to have any sources of error or misconfiguration. A firewall with one rule can be wide open while a firewall with 1000 rules can indeed be locked down tight. And between one and a thousand, exactly how many rules should there be on a corporate firewall? It depends.