Coding a custom firewall manager for multiple firewall brands. Feasible?
|
View:
New views
7 Messages
—
Rating Filter:
Alert me
|
 |
Coding a custom firewall manager for multiple firewall brands. Feasible?
by plopz
::
Rate this Message:
Hi everyone,
I'd just recently got an extra job role as a firewall administrator and I'm faced with a network that consists of multitudes of firewall brands (nokia, sidewinder etc. ) bulging with almost 3000+ rules. The networks are also segmented and structured in such a way that adding a new path from one host to another services requires multiple entries into various firewalls that are in the path. As the requests for new connectivity come in hundreds or more per week, I feel that the current implementation is not really scalable. (manual data entries into firewalls and fight-fire trouble-shooting :( I'd look at existing firewall managment tools such as solsoft, algosoft etc. but they don't seems to cover some of the brands that we have. There are also budget issues, red tapes, securities, stability etc etc issues from third party vendor... I'm contemplating on trying to code a custom firewall manager that is able to handle the daily change request and push down the different rules into the different brand of firewalls in our network. Do you guys think it's worth the effort or acquiring a third party firewall manger is better? |
|
|
Re: Coding a custom firewall manager for multiple firewall brands. Feasible?
by K Kadow
::
Rate this Message:
Check out Matasano's "Playbook":
http://runplaybook.com/ I tried it about a year ago, was impressed. Kevin On 6/30/09, plopz <minggyang@...> wrote: > > Hi everyone, > > I'd just recently got an extra job role as a firewall administrator and I'm > faced with a network that consists of multitudes of firewall brands (nokia, > sidewinder etc. ) bulging with almost 3000+ rules. The networks are also > segmented and structured in such a way that adding a new path from one host > to another services requires multiple entries into various firewalls that > are in the path. As the requests for new connectivity come in hundreds or > more per week, I feel that the current implementation is not really > scalable. (manual data entries into firewalls and fight-fire > trouble-shooting :( > > I'd look at existing firewall managment tools such as solsoft, algosoft etc. > but they don't seems to cover some of the brands that we have. There are > also budget issues, red tapes, securities, stability etc etc issues from > third party vendor... > > I'm contemplating on trying to code a custom firewall manager that is able > to handle the daily change request and push down the different rules into > the different brand of firewalls in our network. Do you guys think it's > worth the effort or acquiring a third party firewall manger is better? > -- > View this message in context: > http://www.nabble.com/Coding-a-custom-firewall-manager-for-multiple-firewall-brands.-Feasible--tp24275584p24275584.html > Sent from the Firewall Wizards mailing list archive at Nabble.com. > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > -- Sent from my mobile device _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: Coding a custom firewall manager for multiple firewall brands. Feasible?
by david@lang.hm
::
Rate this Message:
On Tue, 30 Jun 2009, plopz wrote:
> Hi everyone, > > I'd just recently got an extra job role as a firewall administrator and I'm > faced with a network that consists of multitudes of firewall brands (nokia, > sidewinder etc. ) bulging with almost 3000+ rules. The networks are also > segmented and structured in such a way that adding a new path from one host > to another services requires multiple entries into various firewalls that > are in the path. As the requests for new connectivity come in hundreds or > more per week, I feel that the current implementation is not really > scalable. (manual data entries into firewalls and fight-fire > trouble-shooting :( > > I'd look at existing firewall managment tools such as solsoft, algosoft etc. > but they don't seems to cover some of the brands that we have. There are > also budget issues, red tapes, securities, stability etc etc issues from > third party vendor... > > I'm contemplating on trying to code a custom firewall manager that is able > to handle the daily change request and push down the different rules into > the different brand of firewalls in our network. Do you guys think it's > worth the effort or acquiring a third party firewall manger is better? one thing to note is that some of the brands that you have are not very receptive to remote administration. Sidewinder actually has an extensive command line environment, but it's not well documented in their manuals, but the help functions and some examination of the output (cf <section> help and cf <section> query) make it fairly easy to figure out. note that for many cases you will need to execute many commands to set everything up. one gotcha to watch out for is that sidewinder has selinux-like permissions, so you have an extra file type to worry about for your scripts. the one thing I haven't taken the time to look up is if there is a way short of expect to ssh in to a sidewinder, srole (change to the admin) and continue to have a script run) I don't know if there is any way to script rules in and out of checkpoint firewalls (your nokias), if anyone can point me at things I would defiantly be interested. I would start by trying to categorize the rule change requests that you are getting. if there are significant patterns, than automating it shouldn't be too hard, if ther eare no strong patterns I suspect that you will spend as much time manipulating your automatin tool as you would the firewalls. for this sort of thing I am a big believer in home-grown tools. the one-size-fits-none nature of the do-everything tools doesn't attract me. another thing to keep in mind is that by centralizing the management like this, you are working to save time and eliminate simple mistakes that keep things from working, but you will make it _much_ easier to make mistakes the other way and open up too much access. the management tool is also a _very_ poerful thing for any attacker to get control of. having lots of segments with multiple firewall technologies is probably a sign of one of two things. 1. the business grew by aquisition and each company that was purchased used a different firewall and the result is just pasted togeather 2. someone made a deliberate choice to provide defense in depth with diversity so that a failure/exploit in one technology (or user error in rule entry) would be limited in how much damage it could do. if you are in case #2 you should think a little bit before you throw away the advantages to get the time savings. if you have clueful management ask them about it (and in any case, make sure they know about what tradeoff you are making) if you are in case #1 decide if you want to take advantage of the diversity or not. if you don't, seriously start a campaign to standardize the firewalls on one technology that you can automate (ideally something that you can script, think of the advantages of being able to have a web page for _some_ _standard_ requests that authenticates the requester and implements the rule without you getting involved) you don't have to replace them rapidly, just start replacing them as you get the chance. you may also want to talk to management about eliminating some of the firewalls. if you are getting hundreds of requests a week, your current set of 3000 rules is only about half a year's worth of requests. either you are turning off a lot of requests, are combining many requests into a single rule, or your numbers aren't adding up. at my place we have 60 or so firewall locations (each with a HA pair of firewalls), we just did a report from our ticketing systems and find that we are getting ~10 requests/day for the last year, and have 30,000 or so rules around the network. it's not fun, but I'm not convinced that a central management is a magic wand to make the pain go away although some of my co-workers are) David Lang _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: Coding a custom firewall manager for multiple firewall brands. Feasible?
by Marcin Antkiewicz
::
Rate this Message:
> I'd just recently got an extra job role as a firewall administrator and I'm
> faced with a network that consists of multitudes of firewall brands (nokia, > sidewinder etc. ) bulging with almost 3000+ rules. The networks are also > segmented and structured in such a way that adding a new path from one host > to another services requires multiple entries into various firewalls that > are in the path. As the requests for new connectivity come in hundreds or > more per week, I feel that the current implementation is not really > scalable. (manual data entries into firewalls and fight-fire > trouble-shooting :( I am in a similar situation, with an environment that has more firewalls than sensible people will report as a count of their fw rules. Form my experience, you will find software that will analyse the aggregate of your ruleset without _much_ trouble. Tuffin, FireMon, BMC Patrol, yada yada. Some are better, some are crufty but, if your goal is to get "rule masking" or some policy warnings, that will work fine. Playbook seems quite nice for CLI managed devices, but they do not support Checkpoint. Opsec CPMI promises remote access to the databases which, in theory would allow 3rd party rule management, but I was not able to find anyone who sells such product. On the other hand, my attempts to get LEA to work, and a few less-than-vanilla upgrades destroyed whatever hope I had for this fine product line (OPSEC and whatever else comes from CheckPoint). -- Marcin Antkiewicz _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: Coding a custom firewall manager for multiple firewall brands. Feasible?
by matt.foster
::
Rate this Message:
Not sure if this could help < this is not a product pitch>, we have seen a lot of interest from customers with similar issues who have taken a look at our RedSeal Network Advisor product to help with understanding what current possible traffic paths are open through their network and what config changes through multiple devices are required to open access.
I know that this is not executing the change but it does help users dramatically speed up the process of understanding what needs to change in multi vendor environments where it is vital to understand how all devices interact with each other. Stephen Northcutt from SANS commented on his blog recently about RedSeal for an independant view. https://blogs.sans.org/security-leadership/2009/06/03/first-look-redseal/ Cheers Matt
|
|
|
Re: Coding a custom firewall manager for multiple firewall brands. Feasible?
by plopz
::
Rate this Message:
Thank you guys for all your responses.
I kinda feel the same as david about commercial firewall management tools. There also a lot of trouble and fuss to bring and use external software into our corporate network. That's the main reason why the fw people are still using manual data entry into all the fw... You are right to say that most of the rules can be grouped and there are some change request that need not be process. E.g. route from host and destination has no fw, change request is a subset of previous rules etc. I'd also just taken over some of the firewalls administration and I'm also not very sure about frequency of the change request as well. I've to apologise that I cant tell u the reason why there are multiple network segments and firewall brands though. My basic idea is to have a program that can process this change request and churn out rules that be pushed out to the firewalls. Other features such as optimization of rules can be incorporated later but the most problematic part for me is to find a way to interface with the firewall OS/management tool. I just want to know whether the task (interfacing part) is do-able or not. The brands of firewalls that I'm handling are checkpoint and sidewinder 7. I don't mind coding out all the stuff but i really have limited product knowledge. Really appreciate any advise or help out there! plopz
|
|
|
Re: Coding a custom firewall manager for multiple firewall brands. Feasible?
by Marcin Antkiewicz
::
Rate this Message:
> I just want to know whether the task (interfacing part) is do-able or not.
> The brands of firewalls that I'm handling are checkpoint and sidewinder 7. I > don't mind coding out all the stuff but i really have limited product > knowledge. Really appreciate any advise or help out there! It's possible, and done routinely on linux/*BSD/cisco. You would need to make the script architecture-aware, and maintain it's ability to figure out what firewalls sit across the path. Than you need to write out the changes as ofiller/dbedit files or sidewinder scripts, and push them to the firewalls/smart centers via ssh or expect. On checkpoint, dbedit will not install rules when people are logged with rw access, which might be a problem, unless you have/establish fw change windows and kick them out during that time. In my case, user group membership and container (src/dst groups, services) management are the most common tasks. And those can be knocked out first, as stepping stones to full automation. It might just be my experience, but often such projects create a huge and fragmented rulesets, and necessitate development of "optimizing" add-ons. Whatever you do, keep the engine's rule evaluation efficiency in mind. -- Marcin Antkiewicz _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
| Free embeddable forum powered by Nabble | Forum Help |
