The first quantitative evaluation of the quality of corporate firewall configurations appeared in 2004, based on Check Point FireWall-1 rule-sets. In general that survey indicated that corporate firewalls were often enforcing poorly written rule-sets, containing many mistakes.
The goal of this work is to revisit the first survey. The current study is much larger. Moreover, for the first time, the study includes configurations from two major vendors. The study also introduce a novel "Firewall Complexity" (FC) measure, that applies to both types of firewalls.
The findings of the current study indeed validate the 2004 study's main observations: firewalls are (still) poorly configured, and a rule-set's complexity is (still) positively correlated with the number of detected risk items. Thus we can conclude that, for well-configured firewalls, ``small is (still) beautiful''. However, unlike the 2004 study, we see no significant indication that later software versions have fewer errors (for both vendors).
[1]
Stefan Savage,et al.
The Spread of the Sapphire/Slammer Worm
,
2003
.
[2]
Andy Fox,et al.
Cisco Secure PIX Firewalls
,
2001
.
[3]
Avishai Wool,et al.
A quantitative study of firewall configuration errors
,
2004,
Computer.
[4]
Avishai Wool,et al.
The use and usability of direction-based filtering in firewalls
,
2004,
Comput. Secur..
[5]
Marcus J. Ranum,et al.
Web Security Sourcebook
,
1997
.
[6]
Dameon D. Welch-Abernathy.
Essential Check Point Firewall-1: An Installation, Configuration, and Troubleshooting Guide
,
2002
.
[7]
Avishai Wool,et al.
Offline firewall analysis
,
2006,
International Journal of Information Security.