On Wed, 5 Dec 2001, Richard Saddington wrote: > Thanks for your response, > > The point you make about a firewall not telling you that you have left a > whole in the security is useful. What i am trying to find out is common > issues where administrators have configured a rulebase that looks correct > and may work correctly, only to discover at a later date they have left a > wide open hole somewhere. Either because rules function differently to > expected they didn't test every possible rule boundary.
Policy won't make up for poor implementation, but the policy should always be to review any proposed rule change in light of the entire protection scheme. > The point I was hoping to get feedback on was altering an existing rulebase > to incorporate changes in an organisations security policy. Should the whole > rulebase be reworked or can extra rules just be added to the end? Then comes > the issue of performance, should rules that permit the most amount of > traffic be given priority over more defined rules? Rules for some devices (such as Cisco routers) work on a "first match" basis, and in that case __absolutely__ should be ordered by traffic load. For other traffic, or complex setups, it's really a call based on profile and interaction. If rules are fairly simple, and stand-alone, then it always makes sense to match on volume first for the higest volume protocols. Typically, that tends to be inbound and outbound browser traffic. If you're not doing anti-spoofing on a different device though, anti-spoofing rules will need to be first, as they should override allowable traffic. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
