Re: [fw-wiz] Coding a custom firewall manager for multiple firewall brands. Feasible?

I'd just recently got an extra job role as a firewall administrator and I'm
faced with a network that consists of multitudes of firewall brands (nokia,
sidewinder etc. ) bulging with almost 3000+ rules. The networks are also
segmented and structured in such a way that adding a new path from one host
to another services requires multiple entries into various firewalls that
are in the path. As the requests for new connectivity come in hundreds or
more per week, I feel that the current implementation is not really
scalable. (manual data entries into firewalls and fight-fire
trouble-shooting :(

I am in a similar situation, with an environment that has more
firewalls than sensible
people will report as a count of their fw rules.

Form my experience, you will find software that will analyse the
aggregate of your
ruleset without _much_ trouble. Tuffin, FireMon, BMC Patrol, yada
yada. Some are better,
some are crufty but, if your goal is to get "rule masking" or some
policy warnings,
that will work fine.

Playbook seems quite nice for CLI managed devices, but they do not
support Checkpoint.
Opsec CPMI promises remote access to the databases which, in theory
would allow 3rd
party rule management, but I was not able to find anyone who sells
such product. On the
other hand, my attempts to get LEA to work, and a few
less-than-vanilla upgrades destroyed
whatever hope I had for this fine product line (OPSEC and whatever
else comes from CheckPoint).

Marcin Antkiewicz
firewall-wizards mailing list

Relevant Pages

  • RE: [fw-wiz] Firewalls v. Router ACLs
    ... people to take in consideration in network design and layout. ... here and the old firewalls list often emphasized an approach that avoided ... The logging alert features alone turn this layer into a IDS as ... > An appropriately sized router will not have any performance problems. ...
  • [fw-wiz] IDS/IPS and LOGS
    ... nasty behavior is happening on your network (where your network is ... easily turn your IPS into a big denial of service attack. ... My guess is that most of the Worlds firewalls and IDS/IPS only have half ... I noticed that there is a big emphasis on log parsing while there should ...
  • Re: Establish persistant outbound connection for covert application
    ... which firewalls are running etc.) and then communicate its ... the actual network layer. ... They do have 2 network interfaces in case I want to chain them between a PC ... They also have a wireless interface so I can hook into the machine if I am ...
  • Re: Going meta (was RE: [fw-wiz] Ok, so now we have a firewall...)
    ... but today's firewalls let too much stuff back ... > why people feel they need to compromise. ... Last spring we completely re-engineered the network for a large school ... All these segments are set up on separate VLANs and communicate with each ...
  • Re: Linksys router as Firewall
    ... > There are many different levels of firewalls. ... acts as an interface between two networks (e.g., the Internet and an ... protecting the internal network from electronic attacks originating from ... filtering outgoing traffic for security and network usage rules ...