Which firewalls have the best rule organization metaphor in their GUI for
constructing and maintaining rules? I'm interested in products that can
scale their rulesets to hundreds of rules and dozens of different networks
without becoming too difficult to read and maintain.
To be honest I have never met a firewall I really liked, and I have used
Checkpoint Firewall-1, Microsoft ISA Server, and a handful of lesser known
firewalls. The shortcoming of all of them in a non-trivial network is that
once a ruleset becomes sufficiently large it becomes very very hard to read
through it and completely understand it. Even if you follow well-organized
conventions to put all from and to rules for a network or host together, you
in general have to deal with many broad classifications of rules such as:
- rules between networks
- rules applying to specific hosts or segments
- rules that apply to logical groups of hosts or networks (these could
represent groups of networks that belong to a single Windows "domain" for
Broad rules that you establish early in the ruleset can unintentionally
render rules that apply to specific hosts and networks later on in the
Specific rules that you establish for a host or network segment can likewise
render a broader rule stated later inoperative.
All of this is made worse by software GUI interfaces in most firewalls that
use a purely linear organization scheme for rules. This makes reading the
ruleset like reading through a 500 line program that has no indenting or
formatting structures for ease of reading or grouping of related items.
Is there a product whose user interface for ruleset organization uses a
metaphor that scales to a larger number of rules? In my opinion Checkpoint
and Microsoft's products fail on this criteria. Are there any better
products for this criteria?
I don't need any kind of exceptional performance. Cheap is better than