I've heard a broad range of claims on how large a firewall rule set might be, so I decided to dig around for published data. There are lots of quotes claiming gigantic numbers, but I only found three reports of plausible-looking data collection - one from 2001 and the others from last year. I also have notes from a fourth that I haven't verified.
In practice, firewall rule sets seem to range from 5 rules to over 25,000 rules. Some claim that even larger rule sets may exist.
The number of rules seem to depend heavily on the number of users behind the firewall, and on the firewall's implementation of the rules themselves. If a firewall can create sophisticated rules, then it takes fewer rules to implement the site's policy.
As with everything, small is beautiful. If you have a lot of rules, it's hard to keep them accurate and up to date.
Wool Survey, 2001
My oldest source is "A quantitative study of firewall configuration errors"
in IEEE Computer, by Avishai Wool, from 2001. The researcher looked at 37 Checkpoint firewalls from a variety of sites and industries. Rule set sizes ranged from 5 to over 2600, with an average of 144 rules per firewall. For comparison, the number of "objects" controlled by these firewalls (hosts, subnets, groups, etc.) ranged from 24 to over 5800.
The author computed some estimates for the relative complexity of the different rule sets, and compared that against error rates. No surprise: more complex rule sets tended to have the most errors, and vice versa.
Chapelle, et al., Survey
These results came from a February '09 review of firewall rule
(mis) management by Chapelle, D'Arcy, and Striegel, published in the ISSA Journal. The authors took the 2001 survey as a sort of starting point, and greatly expanded the data set. Their survey included 144 respondents and covered a variety of firewall models and applications.
They found a range of rule set sizes from 6 to 17,000.
Oddly, the average size was almost 800, but the median
was only 200. This indicates that there were a lot of much-larger rule sets (greater than 800) as well as a lot of smaller rule sets (less than 200).
They also isolated the Checkpoint rule sets and computed new sizes to compare to the Wool survey. They found that the average Checkpoint firewall had twice as many rules as in the 2001 survey: 286 per firewall.
The average Cisco firewall had a rule set size of 1,325 (!!). Incidentally, Cisco also has a third of the firewall market.
An IDC analysis on firewall management
was released in June '09 for firewall vendor McAfee. While I take vendor-sponsored surveys with a grain of salt (McAfee bought Secure Computing
, home of Sidewinder), there were some hard numbers that seemed to have real research behind them.
The analysis reported on an on-line survey of a couple hundred IT executives who manage larger user populations (500 or more). The typical firewall had 2500 rules, with 'almost 10%' having 25,000 rules or more. The results suggested the relationship between user group size and rule set size.
"Orphaned" Survey from Tufin Software Technologies
I don't know if this information is legitimate or bogus, but it's interesting. I hope by posting it I might eventually be able to confirm or deny it. My colleague Ray Kaplan attended the September, 2010, ISSA chapter meeting in the Twin Cities, and shared with me some notes about the talk.
The speaker was advertised to be Michael Hamelin, Chief Security Architect of Tufin Software Technologies
, which sells software to analyze and manage firewall rule sets. (Bias alert!!)He was replaced by a colleague, and here are notes from the talk:
Rule set size depends heavily on the firewall design; some designs allow for more compact sets. Finer-grained rules often require several rules to achieve a specific objective.
Rule set size is heavily dependent on good maintenance. A mature firewall often collects new rules without shedding old rules; new administrators don't want to introduce a vulnerability by removing an existing rule.
A "typical" (I'm guessing "mature") firewall may have from 5,000 to 50,000 rules.
10% to 30% of rules are redundant in many firewalls.
If the site has small staff turnover, 20% of the rules may actually be unused in practice.
If the site has a large turnover, 55-75% of the rules may be unused in practice.
I'd love to confirm or refute these statistics. I emailed Tufin a week ago and still haven't heard back.
Marcus Ranum used to have a shtick he'd do at conferences. He'd put up a slide with some outrageous, impossible-to-verify percentage. People would nod, impressed, and then he'd explain that the statistic was nonsense. The moral: that many statistics are either outright nonsense or based on misinterpreted data, especially when they are intended to promote a product or career.