Wednesday, February 4, 2009

An Analysis of Firewall Rulebase (Mis)Management Practices

Mike Chapple, John D'Arcy, and Aaron Striegel, all from the University of Notre Dame recently published an article titled "An Analysis of Firewall Rulebase (Mis)Management Practices" (edit: link updated) in the ISSA Journal - described as the first widespread analysis of firewall management practices through a survey of firewall administrators and their supervisors.

According to the article, the survey was based on a series of open and closed ended questions which assessed the state of an organization's firewalls, their management practices, and the issues that were encountered with them. With 101 valid results, and 148 total respondents, this is a sizable survey of firewall administrators. In addition, they surveyed supervisors of firewall managers. In both cases, the distribution reached across industry.

Their findings are interesting -

  • An average ruleset size double what it was in 2000.
  • A high correlation between platform and ruleset size.
  • A high turnover or churn rate for firewall changes.
Error rates were also a key part of the study - they found that 91% of administrators believed that least one error was introduced into their ruleset in the average month, and half of those administrators believe they go unfixed.

The article suggests that appropriate staffing levels and skillsets, as well as automated error detection are the best routes to fixing these issues. I would suggest a third step as well - a clear initial design and well defined rules for how rules are written, their syntax, and how they are tracked over time.

Overall, an interesting read for firewall administrators and supervisors or management of organizations with firewalls.

No comments: