Posted on Feb 22nd, 2011 by Reuven Harrison

Hi again.In this post I'll discuss the new and enhanced automatic policy generator (APG) in TSS 5.3 which was released today.

We first conceived the idea for the APG about three years ago. You can see a blog post that I wrote about it here in June 2009.

The general idea of the APG is to clean up overly permissive firewall rules by inspecting the traffic that flows through them and generating a more refined set of rules to replace the original one.

While the original APG had a command-line interface, the enhanced version in TSS 5.3 now has a graphical user interface.

The APG shows you how permissive each one of your rules is. This assists in identifying rules that need to be tightened up. The permissiveness score ranges from 1 for a host to host rule with a single port to 100 for an Any-Any-Any rule.

Next, the APG reads the traffic logs and suggests rules to replace the original one. It shows you how much you're going to gain in terms of permissiveness or, in other words, how much more secure the suggested rule base is compared to the original one.

But, as you know, there's no such thing as a free lunch. Reducing permissiveness has its price, and the price is - increasing the number of rules.

The APG visualizes this tradeoff as an interactive graph - you can click any point on this graph and see the corresponding rule base.

automatic policy generator

Once you have the new rule base, you can continue to edit it in SecureTrack and when you're happy with the result, you can export it to a CSV file.

Basing the design on actual traffic presents a breakthrough in the way firewall policies are built and designed. We are very proud of this achievement which is now also patent pending.

Looking forward for your feedback.

Reuven