- The paper introduces a new complexity measure and confirms the correlation between rule-set complexity and configuration errors in firewall systems.
- It employs quantitative analysis on 84 firewall rule-sets from Check Point and Cisco PIX to identify 36 vendor-neutral issues.
- Findings reveal that newer firewall versions do not reduce errors, highlighting the need for simpler rule-set designs to enhance security.
Firewall Configuration Errors Revisited
This paper, "Firewall Configuration Errors Revisited" (0911.1240), revisits the study of firewall configuration errors initially investigated in 2004. It aims to validate earlier findings with contemporary data from two major firewall vendors: Check Point FireWall-1 and Cisco PIX. The study enhances methods for evaluating firewall rule-sets by introducing a new complexity measure applicable across different firewall systems.
Introduction
The paper addresses firewall configuration errors prevalent in corporate environments. Firewalls are crucial to network security, yet errors in their configuration undermine their protective capabilities. Previous findings indicated high rule-set complexity correlated positively with configuration errors. This paper revisits these findings using updated data and methodologies. It includes rule-sets from both Check Point and Cisco PIX, broadening the scope beyond the original study.
Methodology
The study collects and analyzes data from 84 firewall rule-sets across different versions and vendors. The data collection applied non-disclosure agreements to protect sensitive corporate information. Quantitative metric analysis is utilized to identify configuration errors, expanding the set of errors to cover 36 vendor-neutral issues. The new measure of firewall complexity, denoted as $, facilitates comparison across different firewall configurations by normalizing complexity across varied syntax and semantics.
Findings and Implications
Persistency of Errors
The study confirms that firewalls remain poorly configured, with widespread errors. An alarming percentage of firewalls allow inbound traffic on potentially insecure services such as NetBIOS and SMTP. Outbound traffic management is equally concerning, with numerous firewalls permitting excessive SMTP flows, posing risks of data leakage or outbound threats.
Complexity Correlation
The paper validates the correlation between rule-set complexity and errors, underscoring the "small is beautiful" paradigm. Administrators are advised to minimize rule-set complexity where possible. Virtualization and segmentation can help create simpler, tighter configurations that are less prone to errors.
Version Analysis
Contrary to expectations, the paper finds that newer firewall software versions do not exhibit a reduction in configuration errors, attributed to unchanged fundamental filtering capabilities. This finding challenges assumptions that newer software inherently results in better configuration and performance.
Vendor Impact
The study reveals vendor-specific trends. Cisco PIX configurations generally exhibit fewer errors than Check Point configurations, potentially due to the PIX's steeper learning curve prompting more cautious configurations. However, as complexity increases, PIX rule-sets display errors akin to complex Check Point rule-sets.
Conclusion
The work reinforces findings from the previous study, asserting that firewalls are continuously misconfigured while emphasizing the necessity for simplicity in rule-set design. The complexity measure $ provides actionable insights for administrators, advocating for meticulous configuration and rule-set management. The study's broader scope and refined metrics contribute significantly to understanding firewall configuration dynamics, offering robust recommendations for enhancing corporate firewall management practices.
