Wednesday, April 22, 2009

Firewall Complexity Versus Time

As a follow up to Firewall Rule (Mis)Management, I created a few simple charts showing the growth of a firewall config over time. The Y-axis is simply the size of the config in bytes. The X-axis represents time from 2002 to present.


This particular firewall is at a data center that is being phased out, so as applications get deprovisioned or moved, the configuration size shrinks.

The second chart is for a firewall for another data center that was spun up in 2005. The X-axis is time from 2005 through today. The steep change in size at the left is the initial provisioning of the apps in the new data center.


The configuration size has grown continuously since 2005. I’m expecting that it will continue to grow as more apps get hosted. There are not too many scenarios were a configuration would shrink unless major applications were phased out or the firewall manger decided to simplify the problem with a few ‘permit any any’ rules.

At some point in time it’ll be too large to mange if it isn’t already. Presumably the probability of human error increases with complexity (configuration size), so one might suppose that if firewall configuration errors cause a decrease security, then the data center becomes less secure over time.

Entropy is the enemy of security.


  1. Very interesting analysis. Never thought of it that way. I can't deny the value of a firewall, but being part of an application development team, often question it. Seems like there is a significant loss to business productivity due to issues that come up only because of the firewall. Thanks for the good post!

    Peter Edstrom

  2. I don't disagree that the firewall can be a headache. Unfortunately, I haven't see an alternative that can provide reasonable protection for the elements that make up the infrastructure that hosts the application.

    Unfortunately firewalls can't protect web applications from themselves. As soon as port 80 is open, the web app is the target, and in my experience, most web apps are not up to the challenge.

    Lately I'm batting 1000 on demonstrating vulnerabilities in newly hosted applications in our data center. The ones that are written by persons who view themselves as highly paid consultants/experts are the worst.