Firewall Rulebase Analysis Report

Results of analysis carried out for:

Firewall	HatSecurity.com-PIX-demo1
Type	Cisco PIX
Date	7/2/2008 10:58:17 PM

Statistics on the analysis:

Rules category	Number dropped	Percentage
Log analysis	200	48.66 %
Redundant	5	1.216 %
Grouped	18	4.379 %
Unused objects	0

Results of log analysis

The following policies can be dropped based on log analysis

ID	Source Hosts	Destination Hosts	Services	Action
8	any	Anywhere	6129	deny
24	any	edirectory1	80	permit
31	dialup/24	inetlog02	161	permit
33	dialup/22	22.118.128.78/32	53	permit
41	any	22.118.128.25/32	80	permit
50	22.118.128.20/32	Anywhere	443	permit
51	22.118.128.25/32	Anywhere	443	permit
52	ABCNet	BSC	8080	permit
53	any	22.118.128.152/32	80	permit
54	any	22.118.128.152/32	443	permit
57	any	symantec1	25	permit
60	any	22.118.128.95/32	80	permit
61	ipass	22.118.128.158/32	577	permit
66	195.149.45.5/32	22.118.128.68/32	23	permit
67	22.138.47.100/32	22.118.128.68/32	any	permit
68	22.138.47.100/32	cache1-out	any	permit
69	22.118.136.198/32	22.118.128.68/32	any	permit
70	22.118.136.198/32	cache1-out	any	permit
71	22.26.63.45/32	22.118.128.68/32	any	permit
73	22.118.128.225/32	22.118.128.66/32	radius:radius-acct	permit
74	22.118.128.225/32	22.118.128.67/32	radius:radius-acct	permit
75	64.104.205.63/32	cisco-tac	23	permit
76	ebill	172.20.238.77/32	1521	permit
77	ebill	172.20.238.77/32	1521	permit
78	22.118.128.224/28	inetlog02	515	permit
79	22.247.15.77/32	22.118.128.169/32	22	permit
81	22.118.128.226/32	22.118.128.66/32	radius	permit
82	22.118.128.226/32	22.118.128.66/32	radius-acct	permit
83	22.234.153.202/32	Anywhere	any	deny
84	22.118.128.226/32	22.118.128.67/32	radius	permit
85	22.118.128.226/32	22.118.128.67/32	radius-acct	permit
86	any	22.118.128.92/32	81	permit
87	any	22.118.128.92/32	449	permit
98	22.118.136.54/32	22.118.128.164/32	echo-reply	permit
99	22.118.136.198/32	22.118.128.164/32	mask-reply	permit
100	22.118.136.198/32	22.118.128.164/32	echo-reply	permit
101	22.118.133.140/32	22.118.128.164/32	mask-reply	permit
102	22.118.133.140/32	22.118.128.164/32	echo-reply	permit
103	22.118.133.133/32	22.118.128.164/32	mask-reply	permit
104	22.118.133.133/32	22.118.128.164/32	echo-reply	permit
105	ABCNetP	22.118.128.164/32	mask-reply	permit
106	ABCNetP	22.118.128.164/32	echo-reply	permit
107	22.118.133.137/32	22.118.128.164/32	mask-reply	permit
108	22.118.133.137/32	22.118.128.164/32	echo-reply	permit
109	22.247.15.77/32	22.118.128.168/32	23	permit
110	22.247.15.77/32	22.118.128.168/32	21	permit
111	22.247.15.77/32	22.118.128.169/32	23	permit
112	22.247.15.77/32	22.118.128.169/32	21	permit
113	any	cache1-out	6970:7170	permit
114	any	cache2-out	6970:7170	permit
115	scr05-01-1685_s	scr05-01-1685_d	scr05-01-1685_p	permit
120	22.135.137.194/32	22.135.137.194/32	20	permit
122	any	22.118.128.24/32	80	permit
135	escr7069_d	symantec3	escr7069_p1	permit
138	intranet	Anywhere	escr8793_p1	permit
143	any	intranet	escr8931_p2	permit
144	any	intranet	escr8931_p1	permit
152	10.33.16.12/32	escr8942_d	63	permit
158	any	Anywhere	any	permit
159	DNS2	Anywhere	53	permit
160	DNS2	Anywhere	53	permit
163	WAS	Anywhere	any	permit
164	WAP	Anywhere	any	permit
165	22.118.128.66/32	Anywhere	53	permit
168	22.118.128.67/32	Anywhere	53	permit
169	22.118.128.67/32	Anywhere	53	permit
170	HASimc01	Anywhere	25	permit
171	HASimc02	Anywhere	25	permit
173	22.118.128.154/32	Anywhere	25	permit
175	22.118.128.143/32	ABCNetP	8080	permit
176	wireless-BB	Anywhere	any	permit
177	pptp	Anywhere	pptp	permit
178	pptp	Anywhere	any	permit
180	pptp2	Anywhere	any	permit
182	cache2-out	Anywhere	8080	permit
184	cache1-out	Anywhere	21	permit
189	any	22.118.128.20/32	80	permit
191	any	22.118.128.25/32	443	permit
192	any	22.118.128.25/32	80	permit
193	22.118.128.20/32	Anywhere	443	permit
196	22.118.128.20/32	Anywhere	80	permit
197	22.118.128.136/32	ftp.sun.co.uk/32	21	permit
198	22.118.128.136/32	ftp.hostnet.cz/32	21	permit
199	22.118.128.149/32	ftp.sun.co.uk/32	21	permit
200	22.118.128.149/32	ftp.hostnet.cz/32	21	permit
201	22.118.128.151/32	ftp.sun.co.uk/32	21	permit
202	22.118.128.151/32	ftp.hostnet.cz/32	21	permit
203	22.118.128.153/32	Cisco_FTP	21	permit
204	22.118.128.76/32	Anywhere	21	permit
205	22.118.128.76/32	Anywhere	8080	permit
206	22.118.128.76/32	Anywhere	80	permit
207	22.118.128.73/32	Anywhere	25	permit
208	symantec1	Anywhere	25	permit
209	22.118.128.155/32	195.229.49.177/32	443	permit
210	22.118.128.155/32	195.229.49.177/32	8080	permit
214	22.118.128.157/32	192.100.121.12/32	8080	permit
215	22.118.128.157/32	192.100.121.12/32	1494	permit
216	22.118.128.157/32	192.100.121.12/32	1604	permit
217	22.118.128.68/32	22.138.47.100/32	any	permit
218	cache1-out	22.138.47.100/32	any	permit
219	22.118.128.68/32	22.138.47.100/32	any	permit
220	cache1-out	22.138.47.100/32	any	permit
221	IntGroupHost	192.168.219.53/32	443	permit
222	IntGroupHost	192.135.250.12/32	443	permit
223	IntGroupHost	64.103.36.134/32	443	permit
224	IntGroupHost	192.135.250.12/32	21	permit
225	22.118.128.158/32	13.86.133.55/32	any	permit
226	10.32.88.210/32	22.162.134.90/32	9009	permit
227	22.118.128.100/32	22.138.47.100/32	8080	permit
228	22.118.128.155/32	192.229.49.177/32	8080	permit
229	22.118.128.155/32	192.229.49.177/32	443	permit
230	8.2.250.250/32	22.118.128.68/32	23	permit
231	8.2.250.250/32	22.118.128.68/32	23	permit
232	8.2.250.250/32	22.118.128.68/32	8081	permit
233	8.2.250.250/32	22.118.128.68/32	8081	permit
234	8.2.250.250/32	22.118.128.69/32	23	permit
235	8.2.250.250/32	22.118.128.69/32	23	permit
236	8.2.250.250/32	22.118.128.69/32	8081	permit
237	8.2.250.250/32	22.118.128.69/32	8081	permit
238	172.20.238.77/32	ebill	1521	permit
239	172.20.238.77/32	ebill	1521	permit
240	22.118.128.162/32	SCR1588-87_d	any	permit
241	22.118.128.162/32	SCR1588-87_d	isakmp	permit
242	22.118.128.162/32	SCR1588-87_d	10000	permit
243	22.118.128.162/32	192.245.235.140/32	any	permit
244	22.118.128.165/32	192.6.126.144/32	443	permit
248	10.32.15.235/32	Anywhere	any	deny
250	22.118.128.226/32	22.118.128.66/32	1646	permit
251	22.118.128.226/32	22.118.128.67/32	1646	permit
252	22.118.128.226/32	22.118.128.67/32	1645	permit
253	22.118.128.163/32	22.118.133.133/32	8080	permit
254	22.118.128.163/32	22.118.133.137/32	8080	permit
255	22.118.128.163/32	ABCNetP	8080	permit
256	22.118.128.163/32	22.118.133.140/32	8080	permit
257	22.118.128.164/32	scr2160_d	echo	permit
258	22.118.128.164/32	scr2160_d	mask-request	permit
259	22.118.128.91/32	Anywhere	80	permit
260	22.118.128.91/32	Anywhere	443	permit
261	22.118.128.108/32	207.46.197.119/32	80	permit
264	cache1-out	Anywhere	2000:2001	permit
265	cache2-out	Anywhere	2000:2001	permit
266	cache1-out	Anywhere	5005	permit
269	cache2-out	Anywhere	5000	permit
270	cache1-out	Anywhere	1755	permit
271	cache2-out	Anywhere	1755	permit
272	cache1-out	Anywhere	1024	permit
273	cache2-out	Anywhere	1024	permit
274	cache1-out	Anywhere	80	permit
275	cache1-out	Anywhere	1755	permit
276	cache1-out	Anywhere	554	permit
277	cache2-out	Anywhere	554	permit
278	cache2-out	Anywhere	1755	permit
280	scr05-01-1581_s	22.118.128.91/32	scr05-01-1581_p	permit
281	22.118.128.182/32	22.119.64.11/32	21	permit
282	22.118.128.182/32	22.93.192.102/32	21	permit
283	22.118.128.170/32	Anywhere	9008:9009	permit
287	22.118.128.164/32	scr2160	mask-request	permit
298	172.20.10.8/30	22.118.128.21/32	161:162	permit
299	escr2129_s	escr2129_d	161	permit
300	22.118.128.164/32	22.118.128.21/32	161	permit
301	escr2689_s	escr2689_d	443	permit
302	22.118.128.164/32	22.118.128.22/32	161	permit
303	escr2812_s	escr2812_d	escr2812_p	permit
310	22.118.128.159/32	12.151.162.110/32	443	permit
311	22.118.128.167/32	12.151.162.110/32	443	permit
317	escr-4463_d	Anywhere	53	permit
318	escr-4466_s	escr-4466_d	2002:2010	permit
334	escr5723_s	22.118.128.64/26	escr5723_p	permit
341	10.32.8.94/32	Anywhere	any	permit
342	symantec3	escr7069_d	escr7069_p	permit
344	22.32.88.210/32	escr7197_d	escr7197_p	permit
354	172.0.0.0/8	22.118.128.24/32	80	permit
359	10.32.2.71/32	22.118.128.102/32	161	permit
362	10.32.2.72/32	22.118.128.102/32	162	permit
363	172.20.12.13/32	22.118.128.102/32	80	permit
364	172.20.12.13/32	22.118.128.102/32	10198	permit
365	172.20.12.13/32	22.118.128.102/32	10319	permit
366	22.118.128.102/32	10.32.0.71/32	161	permit
367	22.118.128.102/32	10.32.0.71/32	162	permit
368	22.118.128.102/32	10.32.0.72/32	161	permit
369	22.118.128.102/32	10.32.0.72/32	162	permit
370	22.118.128.102/32	172.20.12.13/32	80	permit
371	22.118.128.102/32	172.20.12.13/32	10198	permit
372	22.118.128.102/32	172.20.12.13/32	10319	permit
373	12.151.162.162/32	22.118.129.41/32	55011:55012	permit
374	12.151.162.162/32	escr8241_d	55011:55012	permit
375	escr8384_s	172.20.39.195/32	7777	permit
376	22.118.128.188/32	22.118.154.29/32	80	permit
377	Ayma	Anywhere	443	permit
378	10.255.255.67/32	Ayma	57001	permit
382	172.20.239.7/32	Anywhere	escr8764_p	permit
383	172.20.239.7/32	Anywhere	escr8764_p1	permit
384	any	172.20.239.7/32	escr8764_p1	permit
385	any	intranet	escr8793_p3	permit
386	any	intranet	escr8793_p1	permit
394	escr8784_s	escr8784_d	636	permit
400	escr8784_s	escr8784_d	636	permit
406	symantec4	escr9020_d	5555	permit
409	escr9332_s	Anywhere	80	permit
410	193.110.54.70/32	10.32.9.210/32	any	permit

Results of shadow analysis

The first and second policies in each set match the same traffic, but have the opposite actions

ID	Source Hosts	Destination Hosts	Services	Action
72	22.26.63.45/32	cache1-out	any	permit
157	any	Anywhere	any	deny

ID	Source Hosts	Destination Hosts	Services	Action
118	22.118.128.226/32	22.118.128.185/32	any	permit
157	any	Anywhere	any	deny

ID	Source Hosts	Destination Hosts	Services	Action
119	22.118.128.225/32	22.118.128.185/32	any	permit
157	any	Anywhere	any	deny

ID	Source Hosts	Destination Hosts	Services	Action
155	any	22.118.128.102/32	any	permit
157	any	Anywhere	any	deny

ID	Source Hosts	Destination Hosts	Services	Action
181	inetlog02	Anywhere	any	permit
411	any	Anywhere	any	deny

ID	Source Hosts	Destination Hosts	Services	Action
156	22.118.128.102/32	Anywhere	any	permit
157	any	Anywhere	any	deny

ID	Source Hosts	Destination Hosts	Services	Action
188	Ahme	22.118.128.225/32	any	permit
411	any	Anywhere	any	deny

ID	Source Hosts	Destination Hosts	Services	Action
340	10.32.8.90/32	Anywhere	any	permit
411	any	Anywhere	any	deny

ID	Source Hosts	Destination Hosts	Services	Action
401	any	22.118.128.102/32	any	permit
411	any	Anywhere	any	deny

ID	Source Hosts	Destination Hosts	Services	Action
407	22.118.128.186/32	193.110.54.70/32	any	permit
411	any	Anywhere	any	deny

ID	Source Hosts	Destination Hosts	Services	Action
402	22.118.128.102/32	Anywhere	any	permit
411	any	Anywhere	any	deny

Results of redundant analysis

The first policy is a subset of the second one

ID	Source Hosts	Destination Hosts	Services	Action
37	escr4466_s	escr4466_d	1645:1646	permit
124	escr-4466_s1	escr-4466_d	1645:1646	permit

ID	Source Hosts	Destination Hosts	Services	Action
38	escr4466_s	escr4466_d	radius:radius-acct	permit
125	escr-4466_s1	escr-4466_d	radius:radius-acct	permit

ID	Source Hosts	Destination Hosts	Services	Action
94	scr2160_d	22.118.128.164/32	mask-reply	permit
97	22.118.136.54/32	22.118.128.164/32	mask-reply	permit

ID	Source Hosts	Destination Hosts	Services	Action
37	escr4466_s	escr4466_d	1645:1646	permit
124	escr-4466_s1	escr-4466_d	1645:1646	permit

ID	Source Hosts	Destination Hosts	Services	Action
312	22.118.128.176/32	12.151.162.110/32	443	permit
325	escr4979_s	12.151.162.110/32	443	permit

Results of group analysis

The following policies can be grouped together

ID	Source Hosts	Destination Hosts	Services	Action
30	any	ebill	group_30	permit
88	any	ebill	81	permit
89	any	ebill	449	permit

ID	Source Hosts	Destination Hosts	Services	Action
39	22.118.128.225/32	22.118.128.67/32	group_39	permit
55	22.118.128.225/32	22.118.128.67/32	radius	permit

ID	Source Hosts	Destination Hosts	Services	Action
40	any	22.118.128.20/32	group_40	permit
42	any	22.118.128.20/32	443	permit

ID	Source Hosts	Destination Hosts	Services	Action
90	any	22.118.128.110/32	group_90	permit
91	any	22.118.128.110/32	80	permit
126	any	22.118.128.110/32	11001	permit

ID	Source Hosts	Destination Hosts	Services	Action
92	any	22.118.128.91/32	group_92	permit
93	any	22.118.128.91/32	443	permit

ID	Source Hosts	Destination Hosts	Services	Action
183	cache1-out	Anywhere	group_183	permit
308	cache1-out	Anywhere	443	permit

ID	Source Hosts	Destination Hosts	Services	Action
185	cache2-out	Anywhere	group_185	permit
279	cache2-out	Anywhere	80	permit
309	cache2-out	Anywhere	443	permit

ID	Source Hosts	Destination Hosts	Services	Action
194	22.118.128.25/32	Anywhere	group_194	permit
195	22.118.128.25/32	Anywhere	80	permit

ID	Source Hosts	Destination Hosts	Services	Action
284	22.118.128.163/32	Anywhere	group_284	permit
285	22.118.128.163/32	Anywhere	9009	permit

ID	Source Hosts	Destination Hosts	Services	Action
290	22.118.128.164/32	scr2160	group_290	permit
291	22.118.128.164/32	scr2160	1050:1075	permit

ID	Source Hosts	Destination Hosts	Services	Action
295	172.20.10.8/30	22.118.128.22/32	group_295	permit
296	172.20.10.8/30	22.118.128.22/32	23	permit

ID	Source Hosts	Destination Hosts	Services	Action
327	escr5723_s	cache2-out	group_327	permit
330	escr5723_s	cache2-out	22	permit

ID	Source Hosts	Destination Hosts	Services	Action
328	escr5723_s	cache1-out	group_328	permit
331	escr5723_s	cache1-out	23	permit
332	escr5723_s	cache1-out	8080	permit

ID	Source Hosts	Destination Hosts	Services	Action
404	22.118.128.186/32	193.110.54.70/32	group_404	permit
405	22.118.128.186/32	193.110.54.70/32	pptp	permit

Results of objects analysis

The following objects can be dropped

Objects
no object-group service escr3240_p
no object-group service escr5723_p1
no object-group service escr7197_p
no object-group service escr8764_p1
no object-group service escr8793_p1
no object-group service escr9313_p
no object-group service escr9313_p1
no object-group service Internet-MIS
no object-group service scr05-01-1581_p
no object-group service scr05-01-1685_p
no object-group service scr2160_p
no object-group network escr2129_d
no object-group network escr2129_s
no object-group network escr2689_d
no object-group network escr2689_s
no object-group network escr3240_d
no object-group network escr4466_d
no object-group network escr4466_s
no object-group network escr7197_d
no object-group network escr7880_s
no object-group network escr8241_d
no object-group network escr8384_s
no object-group network escr9313_d
no object-group network escr9313_s
no object-group network escr9332_s
no object-group network ipass
no object-group network scr05-01-1581_s
no object-group network scr05-01-1685_d
no object-group network scr05-01-1685_s
no object-group network scr1444_d
no object-group network SCR1588-87_d
no object-group network tada_d

Results of analysis carried out for:

Firewall	HatSecurity.com-PIX-demo1
Type	Cisco PIX
Date	7/2/2008 11:04:44 PM

Statistics on the analysis:

Rules category	Number dropped	Percentage
Log analysis	200	48.66 %
Redundant	5	1.216 %
Grouped	18	4.379 %
Unused objects	31

Results of redundant analysis

The first policy is a subset of the second one

Firesec Firewall Rulebase Analysis Report

Copyright © Network Intelligence (I) Pvt. Ltd.

Results of analysis carried out for:

Statistics on the analysis:

Results of log analysis

Results of shadow analysis

Results of redundant analysis

Results of group analysis

Results of objects analysis

Results of analysis carried out for:

Statistics on the analysis:

Results of redundant analysis