If the exception is the policy, you’re doing it wrong

By Mike Rothman


That last one is of particular interest to me today, as I saw a client recently with a rule base for his firewall that was around 1000 rules long. When looking at his compliance results for policy and risk he was showing me hundreds of rules he wanted to mark as exceptions. I was puzzled – almost two thirds of his rule base consisted of exceptions to the compliance policies they were trying to enforce.

Bottom line: if your exceptions are out of hand, it’s time to rethink your compliance plans or realign operations with compliance. It is one thing to lose track of how policy aligns with reality, another to not do anything about it.

With any kind of positive security policy (defining what is allowed, rather than looking for what is not), you always need to manage exceptions. Michael Hamelin refers to Wendy’s point that “For every configuration there is an equal and opposite exception.” posited in a Dark Reading column back in October. Wendy is exactly right, and the reality is that firewall operational platforms – which the likes of Tufin, AlgoSec and Firemon provide – are more and more prevalent because firewall policies have become unmanageable.

And it will get worse as folks continue migrating to the NGFW with application-centric policies. So it’s time to get on top of your rule bases, before things really get ugly. I will be doing some research on this later in Q1.

No Related Posts

The concept of micro-payments has been around for a long time: we are talking a decade before payment providers like TextPayMe, PayMate or any of the other current payment providers started to morph the concepts of ‘micro’ payments, ‘XMS’ and ‘mobile’ payments into one.

By Tuxedo

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.