Firewall Complexity Versus Time

As a follow up to Firewall Rule (Mis)Management, I created a few simple charts showing the growth of a firewall config over time. The Y-axis is simply the size of the config in bytes. The X-axis represents time from 2002 to present.


This particular firewall is at a data center that is being phased out, so as applications get deprovisioned or moved, the configuration size shrinks.

The second chart is for a firewall for another data center that was spun up in 2005. The X-axis is time from 2005 through today. The steep change in size at the left is the initial provisioning of the apps in the new data center.


The configuration size has grown continuously since 2005. I’m expecting that it will continue to grow as more apps get hosted. There are not too many scenarios were a configuration would shrink unless major applications were phased out or the firewall manger decided to simplify the problem with a few ‘permit any any’ rules.

At some point in time it’ll be too large to mange if it isn’t already. Presumably the probability of human error increases with complexity (configuration size), so one might suppose that if firewall configuration errors cause a decrease security, then the data center becomes less secure over time.

Entropy is the enemy of security.