Rule Viewer Permissiveness Score

Overview

The Rule Viewer Permissiveness score indicates the extent to which a rule is broad or overly permissive, which is important for security assessments and risk management. Rules with high Permissiveness scores allow more traffic, potentially creating a larger attack surface.

How the permissiveness score is calculated

Rule components

The permissiveness score calculation is based on the following rule components:

  • Source addresses/objects

  • Destination addresses/objects

  • Services/ports

Calculation logic

The score calculation logic is as follows:

  • Each component (source, destination, service) gets a base score based on how many IP addresses or ports it covers

  • For IPv4 addresses, the maximum possible score is 2^32 (representing all possible IPv4 addresses)

  • For IPv6 addresses, the maximum possible score is 2^128 (representing all possible IPv6 addresses)

  • For services, the score is calculated based on the number of protocols and ports covered

  • The scores are then logarithmically scaled (using log2) to prevent extremely large numbers

  • The final score is normalized to a range of 3-100

Mathematical formula

  • The formula takes the log2 of each component's coverage plus 1

  • These logarithmic values are summed together

  • The result is normalized to a scale of 1-100 using the formula: 1 + 99 * ((score - 3) / maxValue)

  • Where maxValue is different for IPv4 and IPv6 rules

Special Cases

  • Rules with unsupported actions (anything other than "allow" or "client_authentication") receive a score of -1 (N/A)

  • Rules with negated components (using "NOT" logic) have special calculation adjustments

Object/Host types and their impact

Different types of objects affect the permissiveness score differently:

  • Individual IP Addresses: Contribute minimally to the permissiveness score

  • Subnets: Contribute based on their size (a /24 subnet contributes more than a /30 subnet)

  • Network Groups: The score is calculated based on all members within the group

  • "Any" Objects: These have the maximum possible contribution to the score

  • Service Objects: Contribute based on the number of protocols and ports they cover

Permissiveness levels

The numeric permissiveness score is translated into qualitative levels:

  • Low (1-30): Rules with limited scope, typically with specific sources, destinations and services.

  • Medium (31-40): Rules with a more moderate scope that usually include broader objects or groups.

  • High (41-100): Very permissive rules with broad network ranges or "Any" objects.

  • N/A (≤ 0): Indicates that the rule cannot receive a score, usually because it is an unsupported rule type.

Examples

  • A rule allowing a single IP address to access a specific server on a single port would have a Low permissiveness score

  • A rule allowing a subnet to access multiple servers on several ports would have a Medium permissiveness score

  • A rule allowing "Any" source to access "Any" destination on "Any" service would have the highest possible permissiveness score (High)