Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Rulebase optimization

To: Allan Pratt <[email protected]>
Subject: Re: [FW1] Rulebase optimization
From: Carric Dooley <[email protected]>
Date: Mon, 5 Feb 2001 17:17:13 -0500 (EST)
Cc: [email protected]
In-reply-to: <[email protected]>
Sender: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I saw some basic guidelines on phoneboy.

This is kind of touchy feely, because it will depend on your hardware,
platform, the rules themselves, etc.

A good rule of thumb is to keep # of rules around 50 or less. Put
high-hitting rules at the top (phoneboy says he likes to put inbound rules
first, but if this firewall does mostly outbound traffic, it would make
more sense to put those first.. it depends on what you are doing with the
firewall).

I personally try to imlplement a similar "look & feel" to my firewalls
(esp. when it's multiple units).

 - Access b/t firewalls (when HA)
 - Admin access (for FW admins and OS admins)
 - Any monitoring of the firewalls (like Tivoli, or some other monitoring
   that needs either ICMP or SNMP to the firewall... I know... I am
   forced against my will to allow this access sometimes)
 - VPN & User Auth rules (because they need to interface with the FW
   directly in some way or another.
 - Stealth Rule
 - Inbound/Outbound rules depending on core function of FW... look at what
   this FW is doing.. if it's doing NAT for 100K clients, then maybe
   allowing either the clients or their http proxies early would be a good
   idea
 - Clean-up Rule


Carric Dooley
Senior Consultant
COM2:Interactive Media

"But this one goes to eleven."
- -- Nigel Tufnel


On Mon, 5 Feb 2001, Allan Pratt wrote:

> 
> Does anyone know of documents about rulebase optimization?
> 
> i.e., how to properly write a rule base, performance issues of too many 
> rules, etc�.
> 
> thanks!
> 
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
> 
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Made with pgp4pine 1.75-6

iQA/AwUBOn8mc1UqWOkDpMZ2EQIAmACgnP7OY4GKd5U4XkVgQv4RaPowLq4AoL5o
nmirmuX7LCir8BWLEf/wjaZM
=TGHT
-----END PGP SIGNATURE-----




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Rulebase optimization
  - From: "Allan Pratt" <[email protected]>

Prev by Date: [FW1] Linux
Next by Date: [FW1] SecuRemote and SecurID
Previous by thread: [FW1] Rulebase optimization
Next by thread: [FW1] 4.1 SP0 - 4.1 SP3 upgrade on AIX 4.3.3
Index(es):
- Date
- Thread