Firewall Rulebase Analysis Report

Results of analysis carried out for:

Firewall	sample
Type	Cisco PIX
Date	11/25/2008 3:28:46 PM

Statistics on the analysis:

Rules category	Number dropped	Percentage
Log analysis	200	48.66 %
Redundant	6	1.459 %
Grouped	23	5.596 %
Unused objects	33	8.029 %

Table of Content

1. Result of Log Analysis
2. Result of Redundant Analysis
3. Result of Group Analysis
4. Result of Unused Objects Analysis
5. Result of Undeclared Source Host Analysis
6. Result of Undeclared Destination Host Analysis
7. Result of Undeclared Services Analysis

Results of log analysis

The following policies can be dropped based on log analysis

ID	Source Hosts	Destination Hosts	Services	Action
8	any	any	6129	deny
24	any	sample_34	80	permit
31	sample_16/24	sample_21	161	permit
33	sample_16/22	10.0.0.78/32	53	permit
41	any	10.0.0.25/32	80	permit
50	10.0.0.20/32	any	443	permit
51	10.0.0.25/32	any	443	permit
52	sample_20	sample_41	8080	permit
53	any	10.0.0.152/32	80	permit
54	any	10.0.0.152/32	443	permit
57	any	sample_23	25	permit
60	any	10.0.0.95/32	80	permit
61	sample_45	10.0.0.158/32	577	permit
66	10.0.45.5/32	10.0.0.68/32	23	permit
67	10.0.0.100/32	10.0.0.68/32	any	permit
68	10.0.0.100/32	sample_7	any	permit
69	10.0.6.198/32	10.0.0.68/32	any	permit
70	10.0.6.198/32	sample_7	any	permit
71	10.0.0.45/32	10.0.0.68/32	any	permit
73	10.0.0.225/32	10.0.0.66/32	radius:radius-acct	permit
74	10.0.0.225/32	10.0.0.67/32	radius:radius-acct	permit
75	64.104.205.63/32	sample_33	23	permit
76	sample_22	10.0.238.77/32	1521	permit
77	sample_22	10.0.238.77/32	1521	permit
78	10.0.0.224/28	sample_21	515	permit
79	22.247.15.77/32	10.0.0.169/32	22	permit
81	10.0.0.226/32	10.0.0.66/32	radius	permit
82	10.0.0.226/32	10.0.0.66/32	radius-acct	permit
83	22.234.153.202/32	any	any	deny
84	10.0.0.226/32	10.0.0.67/32	radius	permit
85	10.0.0.226/32	10.0.0.67/32	radius-acct	permit
86	any	10.0.0.92/32	81	permit
87	any	10.0.0.92/32	449	permit
98	10.0.6.54/32	10.0.0.164/32	echo-reply	permit
99	10.0.6.198/32	10.0.0.164/32	mask-reply	permit
100	10.0.6.198/32	10.0.0.164/32	echo-reply	permit
101	10.0.3.140/32	10.0.0.164/32	mask-reply	permit
102	10.0.3.140/32	10.0.0.164/32	echo-reply	permit
103	10.0.3.133/32	10.0.0.164/32	mask-reply	permit
104	10.0.3.133/32	10.0.0.164/32	echo-reply	permit
105	sample_43	10.0.0.164/32	mask-reply	permit
106	sample_43	10.0.0.164/32	echo-reply	permit
107	10.0.3.137/32	10.0.0.164/32	mask-reply	permit
108	10.0.3.137/32	10.0.0.164/32	echo-reply	permit
109	22.247.15.77/32	10.0.0.168/32	23	permit
110	22.247.15.77/32	10.0.0.168/32	21	permit
111	22.247.15.77/32	10.0.0.169/32	23	permit
112	22.247.15.77/32	10.0.0.169/32	21	permit
113	any	sample_7	6970:7170	permit
114	any	sample_8	6970:7170	permit
115	sample_53	sample_52	sample_54	permit
120	10.0.137.194/32	10.0.137.194/32	20	permit
122	any	10.0.0.24/32	80	permit
135	sample_84	sample_24	sample_86	permit
138	sample_1	any	sample_106	permit
143	any	sample_1	sample_113	permit
144	any	sample_1	sample_112	permit
152	10.0.0.12/32	sample_111	63	permit
158	any	any	any	permit
159	sample_36	any	53	permit
160	sample_36	any	53	permit
163	sample_10	any	any	permit
164	sample_11	any	any	permit
165	10.0.0.66/32	any	53	permit
168	10.0.0.67/32	any	53	permit
169	10.0.0.67/32	any	53	permit
170	sample_19	any	25	permit
171	sample_18	any	25	permit
173	10.0.0.154/32	any	25	permit
175	10.0.0.143/32	sample_43	8080	permit
176	sample_13	any	any	permit
177	sample_17	any	sample_17	permit
178	sample_17	any	any	permit
180	sample_172	any	any	permit
182	sample_8	any	8080	permit
184	sample_7	any	21	permit
189	any	10.0.0.20/32	80	permit
191	any	10.0.0.25/32	443	permit
192	any	10.0.0.25/32	80	permit
193	10.0.0.20/32	any	443	permit
196	10.0.0.20/32	any	80	permit
197	10.0.0.136/32	sample_40	21	permit
198	10.0.0.136/32	sample_39	21	permit
199	10.0.0.149/32	sample_40	21	permit
200	10.0.0.149/32	sample_39	21	permit
201	10.0.0.151/32	sample_40	21	permit
202	10.0.0.151/32	sample_39	21	permit
203	10.0.0.153/32	sample_42	21	permit
204	10.0.0.76/32	any	21	permit
205	10.0.0.76/32	any	8080	permit
206	10.0.0.76/32	any	80	permit
207	10.0.0.73/32	any	25	permit
208	sample_23	any	25	permit
209	10.0.0.155/32	195.229.49.177/32	443	permit
210	10.0.0.155/32	195.229.49.177/32	8080	permit
214	10.0.0.157/32	10.0.0.12/32	8080	permit
215	10.0.0.157/32	10.0.0.12/32	1494	permit
216	10.0.0.157/32	10.0.0.12/32	1604	permit
217	10.0.0.68/32	10.0.0.100/32	any	permit
218	sample_7	10.0.0.100/32	any	permit
219	10.0.0.68/32	10.0.0.100/32	any	permit
220	sample_7	10.0.0.100/32	any	permit
221	sample_29	10.0.219.53/32	443	permit
222	sample_29	10.0.0.12/32	443	permit
223	sample_29	10.0.0.134/32	443	permit
224	sample_29	10.0.0.12/32	21	permit
225	10.0.0.158/32	13.86.133.55/32	any	permit
226	10.0.0.210/32	10.0.134.90/32	9009	permit
227	10.0.0.100/32	10.0.0.100/32	8080	permit
228	10.0.0.155/32	10.0.0.177/32	8080	permit
229	10.0.0.155/32	10.0.0.177/32	443	permit
230	10.0.0.250/32	10.0.0.68/32	23	permit
231	10.0.0.250/32	10.0.0.68/32	23	permit
232	10.0.0.250/32	10.0.0.68/32	8081	permit
233	10.0.0.250/32	10.0.0.68/32	8081	permit
234	10.0.0.250/32	10.0.0.69/32	23	permit
235	10.0.0.250/32	10.0.0.69/32	23	permit
236	10.0.0.250/32	10.0.0.69/32	8081	permit
237	10.0.0.250/32	10.0.0.69/32	8081	permit
238	10.0.238.77/32	sample_22	1521	permit
239	10.0.238.77/32	sample_22	1521	permit
240	10.0.0.162/32	sample_47	any	permit
241	10.0.0.162/32	sample_47	isakmp	permit
242	10.0.0.162/32	sample_47	10000	permit
243	10.0.0.162/32	10.0.0.140/32	any	permit
244	10.0.0.165/32	10.0.0.144/32	443	permit
248	10.0.15.235/32	any	any	deny
250	10.0.0.226/32	10.0.0.66/32	1646	permit
251	10.0.0.226/32	10.0.0.67/32	1646	permit
252	10.0.0.226/32	10.0.0.67/32	1645	permit
253	10.0.0.163/32	10.0.3.133/32	8080	permit
254	10.0.0.163/32	10.0.3.137/32	8080	permit
255	10.0.0.163/32	sample_43	8080	permit
256	10.0.0.163/32	10.0.3.140/32	8080	permit
257	10.0.0.164/32	sample_49	echo	permit
258	10.0.0.164/32	sample_49	mask-request	permit
259	10.0.0.91/32	any	80	permit
260	10.0.0.91/32	any	443	permit
261	10.0.0.108/32	207.46.197.119/32	80	permit
264	sample_7	any	2000:2001	permit
265	sample_8	any	2000:2001	permit
266	sample_7	any	5005	permit
269	sample_8	any	5000	permit
270	sample_7	any	1755	permit
271	sample_8	any	1755	permit
272	sample_7	any	1024	permit
273	sample_8	any	1024	permit
274	sample_7	any	80	permit
275	sample_7	any	1755	permit
276	sample_7	any	554	permit
277	sample_8	any	554	permit
278	sample_8	any	1755	permit
280	sample_55	10.0.0.91/32	sample_56	permit
281	10.0.0.182/32	22.119.64.11/32	21	permit
282	10.0.0.182/32	10.0.0.102/32	21	permit
283	10.0.0.170/32	any	9008:9009	permit
287	10.0.0.164/32	sample_57	mask-request	permit
298	10.0.10.8/30	10.0.0.21/32	161:162	permit
299	sample_59	sample_60	161	permit
300	10.0.0.164/32	10.0.0.21/32	161	permit
301	sample_61	sample_62	443	permit
302	10.0.0.164/32	10.0.0.22/32	161	permit
303	sample_63	sample_64	sample_65	permit
310	10.0.0.159/32	10.0.0.110/32	443	permit
311	10.0.0.167/32	10.0.0.110/32	443	permit
317	sample_70	any	53	permit
318	sample_71	sample_73	2002:2010	permit
334	sample_78	10.0.0.64/26	sample_79	permit
341	10.0.8.94/32	any	any	permit
342	sample_24	sample_84	sample_85	permit
344	10.0.0.210/32	sample_88	sample_89	permit
354	10.0.0.0/8	10.0.0.24/32	80	permit
359	10.0.2.71/32	10.0.0.102/32	161	permit
362	10.0.2.72/32	10.0.0.102/32	162	permit
363	10.0.12.13/32	10.0.0.102/32	80	permit
364	10.0.12.13/32	10.0.0.102/32	10198	permit
365	10.0.12.13/32	10.0.0.102/32	10319	permit
366	10.0.0.102/32	10.0.0.71/32	161	permit
367	10.0.0.102/32	10.0.0.71/32	162	permit
368	10.0.0.102/32	10.0.0.72/32	161	permit
369	10.0.0.102/32	10.0.0.72/32	162	permit
370	10.0.0.102/32	10.0.12.13/32	80	permit
371	10.0.0.102/32	10.0.12.13/32	10198	permit
372	10.0.0.102/32	10.0.12.13/32	10319	permit
373	10.0.0.162/32	10.0.0.41/32	55011:55012	permit
374	10.0.0.162/32	sample_101	55011:55012	permit
375	sample_102	10.0.39.195/32	7777	permit
376	10.0.0.188/32	22.118.154.29/32	80	permit
377	sample_4	any	443	permit
378	10.255.255.67/32	sample_4	57001	permit
382	10.0.239.7/32	any	sample_103	permit
383	10.0.239.7/32	any	sample_104	permit
384	any	10.0.239.7/32	sample_104	permit
385	any	sample_1	sample_107	permit
386	any	sample_1	sample_106	permit
394	sample_108	sample_109	636	permit
400	sample_108	sample_109	636	permit
406	sample_28	sample_114	5555	permit
409	sample_115	any	80	permit
410	10.0.0.70/32	10.0.9.210/32	any	permit

Results of redundant analysis

The first policy is a subset of the second one

ID	Source Hosts	Destination Hosts	Services	Action
37	sample_75	sample_76	1645:1646	permit
124	sample_72	sample_73	1645:1646	permit

ID	Source Hosts	Destination Hosts	Services	Action
38	sample_75	sample_76	radius:radius-acct	permit
125	sample_72	sample_73	radius:radius-acct	permit

ID	Source Hosts	Destination Hosts	Services	Action
94	sample_49	10.0.0.164/32	group_94	permit
97	10.0.6.54/32	10.0.0.164/32	mask-reply	permit

ID	Source Hosts	Destination Hosts	Services	Action
37	sample_75	sample_76	1645:1646	permit
124	sample_72	sample_73	1645:1646	permit

ID	Source Hosts	Destination Hosts	Services	Action
312	10.0.0.176/32	10.0.0.110/32	443	permit
325	sample_77	10.0.0.110/32	443	permit

ID	Source Hosts	Destination Hosts	Services	Action
307	sample_68	10.0.0.24/32	80	permit
357	10.0.0.0/8	10.0.0.24/32	80	permit

Results of group analysis

The following policies can be grouped together

ID	Source Hosts	Destination Hosts	Services	Action
30	any	sample_22	group_30	permit
88	any	sample_22	81	permit
89	any	sample_22	449	permit

ID	Source Hosts	Destination Hosts	Services	Action
39	10.0.0.225/32	10.0.0.67/32	group_39	permit
55	10.0.0.225/32	10.0.0.67/32	radius	permit

ID	Source Hosts	Destination Hosts	Services	Action
40	any	10.0.0.20/32	group_40	permit
42	any	10.0.0.20/32	443	permit

ID	Source Hosts	Destination Hosts	Services	Action
90	any	10.0.0.110/32	group_90	permit
91	any	10.0.0.110/32	80	permit
126	any	10.0.0.110/32	11001	permit

ID	Source Hosts	Destination Hosts	Services	Action
92	any	10.0.0.91/32	group_92	permit
93	any	10.0.0.91/32	443	permit

ID	Source Hosts	Destination Hosts	Services	Action
94	sample_49	10.0.0.164/32	group_94	permit
95	sample_49	10.0.0.164/32	echo-reply	permit

ID	Source Hosts	Destination Hosts	Services	Action
183	sample_7	any	group_183	permit
308	sample_7	any	443	permit

ID	Source Hosts	Destination Hosts	Services	Action
185	sample_8	any	group_185	permit
279	sample_8	any	80	permit
309	sample_8	any	443	permit

ID	Source Hosts	Destination Hosts	Services	Action
194	10.0.0.25/32	any	group_194	permit
195	10.0.0.25/32	any	80	permit

ID	Source Hosts	Destination Hosts	Services	Action
262	10.0.0.164/32	sample_49	group_262	permit
263	10.0.0.164/32	sample_49	mask-reply	permit

ID	Source Hosts	Destination Hosts	Services	Action
284	10.0.0.163/32	any	group_284	permit
285	10.0.0.163/32	any	9009	permit

ID	Source Hosts	Destination Hosts	Services	Action
288	10.0.0.164/32	sample_57	group_288	permit
289	10.0.0.164/32	sample_57	echo	permit

ID	Source Hosts	Destination Hosts	Services	Action
290	10.0.0.164/32	sample_57	group_290	permit
291	10.0.0.164/32	sample_57	1050:1075	permit

ID	Source Hosts	Destination Hosts	Services	Action
295	10.0.10.8/30	10.0.0.22/32	group_295	permit
296	10.0.10.8/30	10.0.0.22/32	23	permit

ID	Source Hosts	Destination Hosts	Services	Action
327	sample_78	sample_8	group_327	permit
330	sample_78	sample_8	22	permit

ID	Source Hosts	Destination Hosts	Services	Action
328	sample_78	sample_7	group_328	permit
331	sample_78	sample_7	23	permit
332	sample_78	sample_7	8080	permit

ID	Source Hosts	Destination Hosts	Services	Action
350	sample_99	sample_98	group_350	permit
351	sample_99	sample_98	echo	permit

ID	Source Hosts	Destination Hosts	Services	Action
352	sample_98	sample_99	group_352	permit
353	sample_98	sample_99	echo	permit

ID	Source Hosts	Destination Hosts	Services	Action
404	10.0.0.186/32	10.0.0.70/32	group_404	permit
405	10.0.0.186/32	10.0.0.70/32	sample_17	permit

Results of objects analysis

The following objects can be dropped

Objects
no object-group service sample_104
no object-group service sample_106
no object-group service sample_118
no object-group service sample_119
no object-group service sample_44
no object-group service sample_50
no object-group service sample_54
no object-group service sample_56
no object-group service sample_67
no object-group service sample_80
no object-group service sample_89
no object-group network sample_101
no object-group network sample_102
no object-group network sample_115
no object-group network sample_116
no object-group network sample_117
no object-group network sample_45
no object-group network sample_47
no object-group network sample_48
no object-group network sample_51
no object-group network sample_52
no object-group network sample_53
no object-group network sample_55
no object-group network sample_59
no object-group network sample_60
no object-group network sample_61
no object-group network sample_62
no object-group network sample_66
no object-group network sample_68
no object-group network sample_75
no object-group network sample_76
no object-group network sample_88
no object-group network sample_96

Results of undeclared source host analysis

The following are the rules in which source hosts are not declared in the configuration

Results of undeclared destination host analysis

The following are the rules in which destination hosts are not declared in the configuration

ID	Source Hosts	Destination Hosts	Services	Action
5	any	4000	any	deny
211	10.0.0.193/32	10.0.135/32	64020:64021	permit
212	10.0.0.194/32	10.0.135/32	64020:64021	permit

Results of undeclared services analysis

The following are the rules in which services are not declared in the configuration

ID	Source Hosts	Destination Hosts	Services	Action
1	any	any	42	deny
2	any	any	42	deny
3	any	any	5554	deny
4	any	any	9996	deny
7	any	any	1434	deny
10	sample_12/23	sample_1	80	permit
11	any	sample_2	80	permit
12	any	sample_19	25	permit
13	any	sample_18	25	permit
14	any	sample_38	25	permit
15	any	10.0.0.154/32	25	permit
16	any	sample_10	21	permit
17	sample_12/23	sample_9	8080	permit
18	any	10.0.0.66/32	53	permit
19	any	10.0.0.66/32	53	permit
20	any	10.0.0.67/32	53	permit
21	any	10.0.0.67/32	53	permit
23	any	sample_3	80	permit
29	sample_20	sample_1	80	permit
30	any	sample_22	group_30	permit
32	sample_16/22	10.0.0.78/32	53	permit
34	sample_16/22	10.0.0.77/32	53	permit
35	sample_16/22	10.0.0.77/32	53	permit
36	sample_16/24	sample_21	162	permit
39	10.0.0.225/32	10.0.0.67/32	group_39	permit
40	any	10.0.0.20/32	group_40	permit
43	any	10.0.0.25/32	443	permit
44	any	10.0.0.19/32	echo	permit
45	any	10.0.0.21/32	echo	permit
48	10.0.0.20/32	any	80	permit
49	10.0.0.25/32	any	80	permit
56	any	10.0.0.73/32	25	permit
58	171.68.227.106/32	sample_33	23	permit
59	10.0.0.225/32	sample_33	23	permit
62	sample_46	10.0.0.66/32	radius	permit
63	sample_46	10.0.0.67/32	radius	permit
64	10.30.14.130/32	sample_9	8080:8081	permit
65	10.0.19.2/32	sample_9	8080:8081	permit
80	22.247.15.77/32	10.0.0.168/32	22	permit
90	any	10.0.0.110/32	group_90	permit
92	any	10.0.0.91/32	group_92	permit
94	sample_49	10.0.0.164/32	group_94	permit
116	sample_57	10.0.0.164/32	echo-reply	permit
117	10.0.0.226/32	10.0.0.185/32	2055	permit
121	any	10.0.0.24/32	80	permit
123	any	sample_58	443	permit
125	sample_72	sample_73	radius:radius-acct	permit
133	10.0.0.189/32	10.0.3.92/32	21	permit
136	10.0.0.188/32	22.118.154.29/32	80	permit
137	any	sample_4	443	permit
140	any	10.0.0.116/32	443	permit
141	10.0.0.253/32	sample_24	1645:1656	permit
142	10.0.0.253/32	sample_28	1645:1656	permit
145	any	10.0.0.26/32	443	permit
146	sample_111	10.0.0.12/32	636	permit
147	sample_111	10.0.0.12/32	636	permit
150	any	10.0.0.101/32	25	permit
151	10.0.0.12/32	sample_111	636	permit
153	sample_108	sample_109	636	permit
154	sample_108	sample_109	636	permit
161	sample_37	any	53	permit
162	sample_37	any	53	permit
166	10.0.0.145/32	sample_43	8080	permit
167	10.0.0.66/32	any	53	permit
172	sample_38	any	25	permit
174	10.0.0.145/32	10.0.3.140/32	8080	permit
183	sample_7	any	group_183	permit
185	sample_8	any	group_185	permit
186	sample_29	sample_30	21	permit
187	10.0.0.139/32	sample_30	21	permit
190	any	10.0.0.20/32	443	permit
194	10.0.0.25/32	any	group_194	permit
211	10.0.0.193/32	10.0.135/32	64020:64021	permit
212	10.0.0.194/32	10.0.135/32	64020:64021	permit
213	10.0.0.157/32	10.0.0.137/32	21	permit
245	10.0.0.166/32	10.0.0.137/32	21	permit
246	10.0.0.143/32	10.0.0.84/32	21	permit
247	10.0.0.164/32	10.0.0.51/32	21	permit
249	10.0.0.226/32	10.0.0.66/32	1645	permit
262	10.0.0.164/32	sample_49	group_262	permit
267	sample_8	any	5005	permit
268	sample_7	any	5000	permit
284	10.0.0.163/32	any	group_284	permit
286	10.0.0.163/32	sample_87	9006	permit
288	10.0.0.164/32	sample_57	group_288	permit
290	10.0.0.164/32	sample_57	group_290	permit
292	10.0.0.185/32	10.0.0.226/32	161	permit
293	10.0.10.8/30	10.0.0.22/32	echo	permit
294	10.0.10.8/30	10.0.0.21/32	echo	permit
295	10.0.10.8/30	10.0.0.22/32	group_295	permit
297	10.0.10.8/30	10.0.0.21/32	23	permit
305	10.0.3.156/32	10.0.0.22/32	21	permit
306	10.0.0.156/32	10.0.0.22/32	21	permit
313	10.0.0.110/32	10.0.0.159/32	55012	permit
314	sample_69	sample_70	53	permit
315	sample_69	sample_70	53	permit
316	sample_70	any	53	permit
319	sample_72	sample_73	1645:1646	permit
320	sample_72	sample_73	radius:radius-acct	permit
321	sample_71	sample_73	2002:2010	permit
322	sample_73	sample_74	389	permit
323	sample_73	sample_74	389	permit
324	sample_77	10.0.0.162/32	443	permit
325	sample_77	10.0.0.110/32	443	permit
327	sample_78	sample_8	group_327	permit
328	sample_78	sample_7	group_328	permit
329	10.0.0.96/32	10.0.137.194/32	21	permit
333	sample_81	10.0.39.195/32	7777	permit
336	10.0.0.23/32	10.0.0.1/32	20:21	permit
337	any	10.0.0.110/32	11001	permit
339	any	10.0.0.110/32	11001	permit
349	10.0.0.187/32	13.130.50.253/32	5151	permit
350	sample_99	sample_98	group_350	permit
352	sample_98	sample_99	group_352	permit
357	10.0.0.0/8	10.0.0.24/32	80	permit
358	10.245.1.5/32	10.0.0.102/32	echo-reply	permit
360	10.0.2.71/32	10.0.0.102/32	162	permit
361	10.0.2.72/32	10.0.0.102/32	161	permit
379	10.255.255.69/32	sample_4	57001	permit
380	sample_24	10.0.0.253/32	1645:1656	permit
381	sample_28	10.0.0.253/32	1645:1656	permit
387	sample_105	22.118.154.29/32	80	permit
389	10.0.7.223/32	13.130.50.253/32	5151	permit
390	sample_108	sample_109	626	permit
391	sample_108	sample_109	626	permit
392	sample_110	sample_28	5555	permit
393	sample_110	sample_28	5555	permit
398	10.0.0.101/32	any	25	permit
403	sample_28	sample_114	5555	permit
404	10.0.0.186/32	10.0.0.70/32	group_404	permit

All hosts, objects, groups, services are purely fictitious.