Wednesday, February 25, 2009

Firewall Complexity

It appears that our work looking at firewall complexity in the most recent ISSA Journal is nicely coinciding with work being done in industry. Secure Passage just released a survey coming to roughly the same conclusions that we did albeit focusing primarily on Fortune 1000 companies whereas our survey was more broadly based.

Of particular note, the top two most shocking findings from the Secure Passage report:

Top 10 Shockers Revealed by Respondents:
1. 73 percent think firewall rule bases are too complex or out of control
2. 59 percent feel that a lack of management tools makes policy management difficult

Living firmly in the land of academia and hence being able to speak from the ivory tower, these works should be a huge wake up call for how security research should proceed. All too often in security research, the perfect becomes the enemy of the good but I think researchers forget that easy to use security (yes, Virginia there is such a thing) offers a huge benefit to the overall health of the Internet ecosystem. Certainly, there is a need for high end, complex systems such as for DARPA / etc. but by in large, complexity is not a friend of security.

Moreover, I do not think the problem is one of building a better interface for the existing tools. It is a general philosophy where complexity is viewed as an informal indicator of correctness or completeness. Unfortunately as my students can attest, try publishing something novel but not terribly complex and the results are often less than heartening. Perhaps that is best left to industry but certainly these surveys attest to the security elephant in the room that we know things are bad and really can not do too much about it*.

Hat Tip: Athena Security which has a tool for improving firewall complexity Athena FirePAC

1 comment:

Michael Janke said...

No doubt that complexity is the enemy of security. When you get up in the thousands of rules range, it's pretty tough to keep things organized enough to make sure that you haven't created more problems than you've solved.

One thing is always true. If you don't have enough openings, you'll know it because something will be broke and someone will be yelling. On the other hand, if you have extra holes, nobody will ever complain.