I'm currently reviewing our PA5250 security policy ruleset and I'm doubting the best way to handle it. We have about 800 rules and lots of those rules combine functions. For example a server is allowed to FTP to ip a.b.c.d and should be allowed to ssl to ip w.x.y.z. At the moment this is combined in one rule which means that servers is also allowed to FTP to w.x.y.z and to SSL to the first IP.
If I were to split up all those kind of rules I would at least double the number of rules. I know the limit of # of rules for the 5250 is 40000 so we are no where near that.
- from a management perspective is it better to have lots of small rules or lots of "combined" rules
- from a resource/throughput perspective: is it better to have for example 10000 simple rules (1 source - 1 destination) or 2000 complex rules (multiple source and destionations)
Thanks in advance for your opinion on this topic
from a management prospective, 1 policy, allow all.
from a security prospective I would not hesitate to split your example into 2 seperate policies regardles of the sums...
It maybe that your servers listed are not listening on the other ports but for me it's "peace of mind" and confidence in saying "No.. Thats not possible".
The filter option works for me to only see the policies needed.
there are of course many reasons to combine policies but not for ease of management over security.
This is a great question, and @reaper and @MickBall both had great feedback. Another thing to consider is support ability and technical capability of the staff administering the box. If the techs looking into potential firewall problems are senior staff with 9+ years experience then the more complex rule base shouldn't cause a problem in the slightest. However if you have more junior less seasoned people administering the FW then a simpler more straightforward policy base might be more appropriate.
If you're using IP definition in at least one direction, application based policy that's using application-default, threat features enabled, and SSL decryption there might not be as great of a risk combing 'like' requirements into one rule versus breaking out that one rule into 20+.
I think there are many factors that can lead an admin towards one direction or another; complex or simple rule base, if the admin of the box can't discern scope and intent of a firewall rule then that network is going to inherently be less secure and more vulnerable.
Also depends on any requirements such as compliance you might be under. For instance we are under a 'Least Privelegde, deny all allow by exception requirement. So in the example you gave, we would require two policies since combining them would be similar to permissions creep where you allow more than should be allowed.
Hope that makes sense.
complexity is the enemy of security? This is great discussion....it gets harder to manage the larger the ruleset gets I think. Keeping things simple in a complex world is a challenge
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!