Hello. We've recently outsourced a large IT project to a very well known solutions provider. The infrastructure is being hosted at their facility, with about 40 servers, segregated into different security zones using an FWSM in a 6500 (our original design). We've recently come to discover that the FWSM, which we bought and is being used only for us, has over 41,000 rules on it already.
After being able to look at the rule base, we've noticed a lot of very strange things. There are approx 20 domain controllers on scattered around various parts of our network, each needing to get out on the network on the exact same ports. But, what we've noticed that what they've done is create a separate rule (ACL) for every server and every port that is needed. This alone translates to somewhere in the neighborhood of 18,000 rules.
Would it not have made sense to use an object group (I'm not an FWSM expert, we assumed the solution provider was) in order to cut down on the number of ACL's, or would it still somehow add up to the same number? We are already almost half way through the allowed number of rules on the FWSM.
Any info would be much appreciated.