topic Re: # of rules vs simplicity in General Topics

# of rules vs simplicity

tomdevos — Wed, 03 Jul 2019 06:57:44 GMT

Hi all,

I'm currently reviewing our PA5250 security policy ruleset and I'm doubting the best way to handle it. We have about 800 rules and lots of those rules combine functions. For example a server is allowed to FTP to ip a.b.c.d and should be allowed to ssl to ip w.x.y.z. At the moment this is combined in one rule which means that servers is also allowed to FTP to w.x.y.z and to SSL to the first IP.

If I were to split up all those kind of rules I would at least double the number of rules. I know the limit of # of rules for the 5250 is 40000 so we are no where near that.

My questions:

- from a management perspective is it better to have lots of small rules or lots of "combined" rules

- from a resource/throughput perspective: is it better to have for example 10000 simple rules (1 source - 1 destination) or 2000 complex rules (multiple source and destionations)

Thanks in advance for your opinion on this topic

Re: # of rules vs simplicity

reaper — Wed, 03 Jul 2019 07:58:56 GMT

For the chassis' performance neither situations have a huge impact, from a management perspective more rules is more complexity, but this helps the third view: security, how secure are combined rules? it also depends on your stance, open and rely on security profiles to stop threats or restrictive and preventing threats before they happen to help the logistical nightmare of managing hundreds or thousands of rules, there's a few things that can help like tagging your zones which helps filtering your view of the policy to the task at hand. Rule Usage and the PAN-OS 9.0 'policy optimizer' tool can help determine which rules are being used or can be improved

Re: # of rules vs simplicity

Mick_Ball — Wed, 03 Jul 2019 11:58:42 GMT

from a management prospective, 1 policy, allow all.

from a security prospective I would not hesitate to split your example into 2 seperate policies regardles of the sums...

It maybe that your servers listed are not listening on the other ports but for me it's "peace of mind" and confidence in saying "No.. Thats not possible".

The filter option works for me to only see the policies needed.

there are of course many reasons to combine policies but not for ease of management over security.

Re: # of rules vs simplicity

Brandon_Wertz — Wed, 03 Jul 2019 12:30:41 GMT

This is a great question, and @reaper and @Mick_Ball both had great feedback. Another thing to consider is support ability and technical capability of the staff administering the box. If the techs looking into potential firewall problems are senior staff with 9+ years experience then the more complex rule base shouldn't cause a problem in the slightest. However if you have more junior less seasoned people administering the FW then a simpler more straightforward policy base might be more appropriate.

If you're using IP definition in at least one direction, application based policy that's using application-default, threat features enabled, and SSL decryption there might not be as great of a risk combing 'like' requirements into one rule versus breaking out that one rule into 20+.

I think there are many factors that can lead an admin towards one direction or another; complex or simple rule base, if the admin of the box can't discern scope and intent of a firewall rule then that network is going to inherently be less secure and more vulnerable.

Re: # of rules vs simplicity

OtakarKlier — Wed, 03 Jul 2019 17:48:04 GMT

Hello,

Also depends on any requirements such as compliance you might be under. For instance we are under a 'Least Privelegde, deny all allow by exception requirement. So in the example you gave, we would require two policies since combining them would be similar to permissions creep where you allow more than should be allowed.

Hope that makes sense.

Re: # of rules vs simplicity

Sec101 — Wed, 17 Jul 2019 17:31:06 GMT

complexity is the enemy of security? This is great discussion....it gets harder to manage the larger the ruleset gets I think. Keeping things simple in a complex world is a challenge