Firewall Rule Set Complexity: Good Configuration Comes in Small Policies
By Dr. Avishai Wool
Practically every corporation that is connected to the Internet uses firewalls as the first line of its cyber-defense. However, the protection these firewalls provide is only as good as the policy they are configured to implement. It has been said that the single most important factor of your firewall's security is how you configure it, yet according to feedback provided by payment card brands and PCI auditing firms, 80 percent of firewalls examined in a breach investigation are misconfigured.
Curious about this phenomenon, I obtained rule-sets from a variety of corporations that use the AlgoSec Firewall Analyzer [ed. note: Wool is CTO of AlgoSec]. Considering 36 vendor-neutral configuration errors that create risk behind the firewall, I evaluated more than 80 Check Point and Cisco firewall rule sets. After determining a measure of firewall complexity for each vendor, I discovered that indeed firewalls are poorly configured – and that there is a strong correlation between a rule-set’s complexity and the number of detected configuration errors.
Serious errors are alarmingly frequent. For instance, Microsoft services, which are a vector to numerous Internet worms, are allowed to enter networks from the outside in 42 percent of the surveyed firewalls. Furthermore, among the most complex firewalls, I detected at least 20 errors in 75 percent of the configurations.
Complex firewall rule-sets are too difficult for their administrators to manage effectively. It is safer to limit the complexity of a firewall rule-set. For example, instead of connecting an additional subnet to the primary firewall, which in turn generates more rules and objects, a company can reduce its risk by installing a dedicated firewall to protect the new subnet.
As my research indicates, there are very few high-complexity rule sets that are well-configured. Furthermore, there is a clear correlation between rule set complexity and the number of detected errors. Thus, we can say that for well-configured firewalls, good things come in small packages.
Dr. Avishai Wool is CTO of AlgoSec, a network security policy management company.