Wednesday, October 28, 2015

Classic rulebase enforcement, isn't it obsolete?

In one of my previous posts I have been writing about stateful inspection patent. Just to remind you, it was filed in 1994. Since then, not much has changed.

Traffic inspection principles used by Check Point today are more than 20 years old. Twenty years! Now try to imagine how networks and security have changed during this time.

Granted, there are new principles in networking security: intrusion prevention, application control, AVI, web filtering, you name it.

But all of them are sitting on top of the same logic of policy rulebase enforcement that was originally invented two decades back. Other FW vendors are also sticking to the same principle: rule by rule traffic match till a security decision is being made.

Why is it a problem? Performance.

Repeating full match of IP addresses for source and destination and protocol definitions takes time and effort. It is hard to accept a connection and even harder to drop. (for more details on the "drop" part, watch one of my video nuggets about it).

Firewall vendors have made an effort to improve the situation by offloading simple security decisions to another device, such as acceleration cards or trying to fully utilise the potentials for multi-CPU machines (SecureXL and CoreXL).

And it helped to some extent. Nevertheless, the bare logic of traffic inspection through a rulebase is an issue.

If your traffic is going to be accepted on rule 101, for every new connection FW will still be going through previous hundred rules trying to find a match. Acceleration with templates helps to bend this for similar connections between the same source and destination, but for the very first connection, even with acceleration, one has to read through 100 rules to find the final match.

Can some other logic be applied here to accelerate a new security decision through a firewall policy? The answer is yes.

Stay tuned.


  1. Zone based firewall policies helps somewhat as there are considerably less rules to check in rulebase.
    one way could be, firewall checks the IP and search for IP in entire rulebase file and match only the rules which has the IP address.

    -Ashish Bhadouria

    1. No, Ashish, zone based firewalling falls to the same pitfall. One still has to match all the rules per zone, and matching zones or interfaces does not really help either.

  2. In response to "If your traffic is going to be accepted on rule 101, for every new connection FW will still be going through previous hundred rules trying to find a match.":

    May be this will help readers, who are less less experienced with Check Point software:

    If you enable SecureXL and (optmize the rulesbase per sk32578 / sk98348 to allow SecureXL Accept Templates to kick in), then it dramatically increases the performance by skipping the inspection of subsequent packets of known (already inspected) connections.

    1. Sergei, although SecureXL is somewhat improving performance, it also brings lots of limitations and requires a very particular rulebase logic to be effective.

      Most of the customers are not aware of these limitations or just overlook some of them.

      Anyhow, acceleration or not, the bare logic of classic fw rulebase enforcement is a bottleneck by itself today. This is the point of the article.

  3. The sub-policies approach let's you do big jumps in such rulebase traversal. When you have thousands of rules this is very usefull. I believe R80 allows this.

    1. I see where you are going with this, Peter. Still, for each main rule the problem remains. Still not good enough.

      R80 is actually doing something smarter than that. Let's wait till it is out, then I will tell :-)

  4. I'd argue that this type of evaluation logic is a problem for certain platform architectures (generic x86). The vendors that are able to handle this within purpose-built hardware (ASIC/FPGA) will always hold the performance crown until CP smartens up. You can just look to Juniper for an example if you want to see what purpose-built ASICs are capable of for *simple* (aka stateful FW/NAT) security (240Gbps of IMIX per line card).

    I think we can all agree that Stateful FW alone doesn't provide you with much. You definitely *need* to have it (and thus a high performing one), but the add-on's (Threat Intel/IPS/Sandbox, etc) are where the market is going. Their value is of course still somewhat questionable...

    R80 will fix a lot of things, but device performance will not really be one of them as far as I'm aware. ADP and SAM, while heavily limited, are the best options CP still has.

    1. Craig, thanks for your piece of mind. As soon as th gateway part of R80 is out we will see if you were right