Firewalls in general use access-list tables for packet flow control. Managing firewall rules and optimizing is a critical part of firewall operation. Once in production system while we do policy fine tuning we want to segregate host based and subnet based policies. This segregation is required in order to see whether any duplicity of policy exist or the traffic flow permitted/denied is as per designed data flow or not. Most commonly we export all the rules in an excel spreadsheet and do some data analysis on the values like clubbing, filtering or cut-copy-paste of rules. One of the tasks involves segregating host to host, host to subnet, subnet to host and subnet to subnet policies. This paper gives a mathematical method to calculate the desired result.
Introduction:
For any enterprise or
The count should come in following fashion with the lines of rules segregated in excel sheet.
| | | Destination | |
| Source | | Subnet | Host |
| Subnet | subnet to subnet | subnet to host | |
| Host | host to subnet | host to host | |
1234 Rule:
This rule makes use of a binomial expression using two variables. Variables in place are the binary values 0 and 1 which we choose suitably for identifying subnet or host. A 0 is used to identify subnet whereas 1 is used to identify a host. There will be four possible outcomes in that case.
| Source | Destination | Rule combination |
| 0 | 0 | subnet to subnet |
| 0 | 1 | subnet to host |
| 1 | 0 | host to subnet |
| 1 | 1 | host to host |
Further to uniquely identify the lines in excel sheet for these four conditions following equation is proposed,
Cell value = x + (3) ^y
Where x is the source bit and y is the destination bit. This equation in two variables produces four unique values 1, 2, 3 and 4 for four different possible combinations of source and destination bits.
| Source | Destination | cell value = x + (3)^y |
| 0 | 0 | 1 |
| 0 | 1 | 3 |
| 1 | 0 | 2 |
| 1 | 1 | 4 |
This formula when generate these numbers can be used as an identifier to sort the subnet to subnet (1), subnet to host (3), host to subnet (2) and host to host policies (4).
Prior to applying the formula source and destination fields need to be marked. This can be achieved using “IF” condition in excel sheet. For example if the column “H” contains the source field we can put the formula,
Cell value =IF(H:H="host", 1, 0)
and similarly if destination is in column “J”, we can have,
Cell value =IF(J:J="host", 1, 0)
These formulae will generate a series of 0s and 1s along with the policies rows, and will be input to the values for x and y.
Conclusion:
The paper discusses a convenient method to segregate the policy lines for subnet to subnet, subnet to host, host to subnet and host to host based policy rules. The formula “Cell value = x + (3) ^y” however can be used for more different requirements where we need similar kind of result for two different variables having binary options. Since this formula results in decimal equivalents of 1, 2, 3, and 4 values, the name given to is 1234 rule.
No comments:
Post a Comment