Scores for all complexity factors Name: netscreen1 Type: NetScreen  

The specific factors contributing to complexity in firewall configurations are analyzed below for your firewall.

Go back to Analysis Overview

Complexity Factor
Your Count
Your Score

 
Total Rules 1129
VERY HIGH

This is the total number of rules that are defined within the firewall rulebase and includes ACL and address translation rules. A large rulebase will make it difficult to understand the effect of any given rule. This introduces more possibilities for errors and security risks.

Start by understanding your policies at a high level. Derive specific rules from those policies. You can reduce the number of rules by using object groups to combine rules with a common purpose. For example, multiple rules that allow the same services to different destination addresses could be combined into a single using an object group consisting of the different destination addresses. You can define objects for groups of services or groups of addresses. Remove redundant rules that play no part in firewall behavior.
 
ACL Rules 1114
VERY HIGH

This is the number of access control rules found in the rulebase. A large rulebase will make it difficult to understand the effect of any given rule. This introduces more possibilities for errors and security risks.

Identify rules that have a related purpose and combine them using object groups to group related sources or destinations or service groups to group related services. Remove redundant rules that play no part in firewall behavior.
 
NAT Rules 15
LOW

This is the number of address translation rules found in the rulebase. A large number of NAT rules likely indicates a lot of address translations for individual servers/hosts and possibly for specific services as well. Such policies overload NAT rules to perform access control, which obscures the address translations and increases the difficulty of maintaining the firewall configuration.

 
Address Elements 1010
VERY HIGH

This is the total number of basic address elements like hosts, subnets and ip address ranges that are being used within the firewall rulebase. A large number of address elements has the same problems of a large rule base. This indicates that there are a lot of very specific subnets and hosts being used in the firewall.

Group the very specific hosts and subnets into larger subnets or address ranges. Use object groups for grouping addresses that have common policy. Specific addresses should only be used for servers providing specific services.
 
Service Elements 185
HIGH

This is the total number of basic service elements that are being used within the firewall rulebase. A large number of service elements indicates that the firewall is being used to control access to too many specific services within the network. This provides more opportunities for dangerous services to be allowed into the network.

Remove unused services. Use object groups for grouping services that have common policy.
 
Interfaces 23
VERY HIGH

This is the number of physical interfaces present in the firewall. A large number of interfaces indicates the firewall is being used to centralize access control to a network partitioned into many separate zones. This means that you have to analyze many paths between zones when specifying the rules and will be difficult to maintain.

Deploy multiple firewalls or firewalls with multiple contexts. This partitions and reduces the number of paths. Firewalls with multiple contexts might cost more initially but in the long run it will simplify maintenance and provide better performance.

 
VPN Connections 0
LOW

This is the number of VPN connections to remote networks. A large number of VPN connections indicates that the firewall is being used to centralize access control to many remote sites. This means that you have to analyze many paths between remote networks.

 
Number of expanded ACL Rules 10463
HIGH

This is the total number of simple rules that you get after expanding the ACL rules to basic elements of each object group used within the ACL rules. This gives a measure of the real size of the rulebase within the firewall. This measure indicates how aggregated, the ACL rules are within the firewall. If the object groups are properly defined and maintained based on a high level policy, this greatly simplifies the management of rulebase. However if the rulebase is not properly maintained and there are a lot of overlaps between rules, then highly aggregated ACL rules make it very difficult to debug the rulebase espescially for firewalls like Checkpoint.

The firewall has highly aggregated rulebase with a lot of object group usage. This is good as long as policy is not being duplicated with a lot of overlap between rules. If there are a lot of overlaps between rules, it will be difficult to maintain the firewall.
 
Rules with Any Service 244
VERY HIGH

This is the number of ACL rules within the rulebase that allow all TCP services (protocol=6, port=1-65535), all UDP services (protocol=17, port=1-65535), or all IP protocols (protocol=1-255). Such rules are very general and increase the potential for exposure to dangerous services or malicious hosts. A good policy practice is to allow only services that are specifically required for business operations.

Identify generalization rules that match Any TCP/UDP service or Any IP protocol. Replace Any matches with more specific TCP/UDP services or IP protocols.
 
Rules with Any Source or Destination address 198
HIGH

This is the number of ACL rules within the rulebase that allow any IP address either as source or destination. Such rules are very general and increase the potential for exposures to dangerous services or malicious hosts. A good policy practice is to allow only specific Source or Destination addresses wherever possible.

Identify generalization rules that match Any source or destination. Replace Any matches with more specific IP addresses or subnets to reduce the number of allowed source or destination addresses.
 
Rules with Any Service and Any Src/Dst address 68
VERY HIGH

This is the number of ACL rules within the rulebase that allow all IP addresses either as source or destination and allow all TCP/UDP services or IP protocols. Such rules are too general and offer a maximum potential for exposure to dangerous services or malicious hosts. A good policy practice is to allow only specific source or destination addresses wherever possible and allow only specific services.

Identify generalization rules that match Any source or destination and Any TCP/UDP service or Any IP protocol. Replace generalized matches with general denies and specific permits for only required hosts, subnets and services.
 
Total Deny Rules 161
VERY HIGH

This is the number of ACL rules in the rulebase that deny access to specific services and/or addresses within the network. A high number of deny rules within the rulebase likely indicates a general policy of "permit many, deny some". Such policies are overly permissive and protect sensitive data assets only from known threats. Changes in the threat environment necessitate corresponding updates to the deny policies, leading to frequent and error-prone maintenance of firewall rulesets. A good policy practice is to deny everything by default and only allow the required IP addresses or subnets and services.

Identify the services required for business operations and the IP addresses or subnets that require access through the firewall. Permit these exceptions and deny everything else.

What does complexity impact?

Tell a friend about FirewallGrader

Know someone struggling with firewall complexity? Tell them about FirewallGrader.

RULE over your RULE SETS!

* Query for rules affecting a service
* Query for rules affecting a source or destination IP address
* Query for rules affecting a source or destination object group

TRY FirePAC.
It's FREE!!!

Athena FirePAC