A number of classic scenes in film and literature involved a group approaching a walled city or castle only to be stopped by a gatekeeper and asked, "Halt, who goes there?" Depending on the answer, be it Arthur, son of Uther Pendragon or Dorothy and the Tin Man, the gatekeeper makes the call on whether or not the group can pass or is turned away.
Firewalls are the digital correlate of this archetypal gatekeeper: they are the gatekeepers for our corporate network and data center perimeters. Firewalls make the call - packet by packet - on which traffic, which network services are acceptable and can pass by and which are acceptable and can enter the gates. But unlike the fictional or historical gatekeepers, the amount of rules employed by a firewall is mind-boggling.
For example, the fellow guarding the Emerald City trying to keep out Dorothy only had to remember: Default Deny ANY for people with the name Dorothy.
In the real world, perimeter firewalls have extremely complex policies comprised of hundreds of different rules -or potentially even more. It's staggeringly complex - but at the same time, extremely precise. The accuracy of the policy set is what makes the firewall effective or not. Having the wrong policy can be tantamount to having no firewall in place at all if risky services are allowed to pass or the wrong ports are left open.
As defined in NIST SP 800-41 Guidelines on Firewalls and Firewall Policies, the firewall policy "dictates how firewalls should handle network traffic for specific IP addresses and address ranges, protocols, applications, and content types ... including which types of traffic can traverse a firewall under what circumstances" Companies that have taken the time to define their policy and rules usually put firewalls into production with a fairly robust policy set. The problem occurs over time as change requests are made and administrators are asked to incorporate more and more rules over time. Balancing a complex rule set within very tight constraints of precision is possible (though difficult) during initial deployment, adding to that rule set down the road means that same effort and validation is required again and again as the firewall is changed, changed again, and further updated with ever more complex scenarios and additive "one off" situations to accommodate business or technical requirements.
Another concern is the sliding rule base from firewall to firewall. Large organizations have multiple firewalls...