Re: [fw-wiz] Coding a custom firewall manager for multiple firewall brands. Feasible?

Thank you guys for all your responses.

I kinda feel the same as david about commercial firewall management tools.
There also a lot of trouble and fuss to bring and use external software into
our corporate network. That's the main reason why the fw people are still
using manual data entry into all the fw...

You are right to say that most of the rules can be grouped and there are
some change request that need not be process. E.g. route from host and
destination has no fw, change request is a subset of previous rules etc. I'd
also just taken over some of the firewalls administration and I'm also not
very sure about frequency of the change request as well. I've to apologise
that I cant tell u the reason why there are multiple network segments and
firewall brands though.

My basic idea is to have a program that can process this change request and
churn out rules that be pushed out to the firewalls. Other features such as
optimization of rules can be incorporated later but the most problematic
part for me is to find a way to interface with the firewall OS/management

I just want to know whether the task (interfacing part) is do-able or not.
The brands of firewalls that I'm handling are checkpoint and sidewinder 7. I
don't mind coding out all the stuff but i really have limited product
knowledge. Really appreciate any advise or help out there!


david@xxxxxxx wrote:

On Tue, 30 Jun 2009, plopz wrote:

Hi everyone,

I'd just recently got an extra job role as a firewall administrator and
faced with a network that consists of multitudes of firewall brands
sidewinder etc. ) bulging with almost 3000+ rules. The networks are also
segmented and structured in such a way that adding a new path from one
to another services requires multiple entries into various firewalls that
are in the path. As the requests for new connectivity come in hundreds or
more per week, I feel that the current implementation is not really
scalable. (manual data entries into firewalls and fight-fire
trouble-shooting :(

I'd look at existing firewall managment tools such as solsoft, algosoft
but they don't seems to cover some of the brands that we have. There are
also budget issues, red tapes, securities, stability etc etc issues from
third party vendor...

I'm contemplating on trying to code a custom firewall manager that is
to handle the daily change request and push down the different rules into
the different brand of firewalls in our network. Do you guys think it's
worth the effort or acquiring a third party firewall manger is better?

one thing to note is that some of the brands that you have are not very
receptive to remote administration.

Sidewinder actually has an extensive command line environment, but it's
not well documented in their manuals, but the help functions and some
examination of the output (cf <section> help and cf <section> query) make
it fairly easy to figure out. note that for many cases you will need to
execute many commands to set everything up. one gotcha to watch out for is
that sidewinder has selinux-like permissions, so you have an extra file
type to worry about for your scripts.

the one thing I haven't taken the time to look up is if there is a way
short of expect to ssh in to a sidewinder, srole (change to the admin) and
continue to have a script run)

I don't know if there is any way to script rules in and out of checkpoint
firewalls (your nokias), if anyone can point me at things I would
defiantly be interested.

I would start by trying to categorize the rule change requests that you
are getting. if there are significant patterns, than automating it
shouldn't be too hard, if ther eare no strong patterns I suspect that you
will spend as much time manipulating your automatin tool as you would the

for this sort of thing I am a big believer in home-grown tools. the
one-size-fits-none nature of the do-everything tools doesn't attract me.

another thing to keep in mind is that by centralizing the management
like this, you are working to save time and eliminate simple mistakes that
keep things from working, but you will make it _much_ easier to make
mistakes the other way and open up too much access. the management tool is
also a _very_ poerful thing for any attacker to get control of.

having lots of segments with multiple firewall technologies is probably a
sign of one of two things.

1. the business grew by aquisition and each company that was purchased
used a different firewall and the result is just pasted togeather

2. someone made a deliberate choice to provide defense in depth with
diversity so that a failure/exploit in one technology (or user error
in rule entry) would be limited in how much damage it could do.

if you are in case #2 you should think a little bit before you throw away
the advantages to get the time savings. if you have clueful management
ask them about it (and in any case, make sure they know about what
tradeoff you are making)

if you are in case #1 decide if you want to take advantage of the
diversity or not. if you don't, seriously start a campaign to standardize
the firewalls on one technology that you can automate (ideally something
that you can script, think of the advantages of being able to have a web
page for _some_ _standard_ requests that authenticates the requester and
implements the rule without you getting involved) you don't have to
replace them rapidly, just start replacing them as you get the chance.

you may also want to talk to management about eliminating some of the
firewalls. if you are getting hundreds of requests a week, your current
set of 3000 rules is only about half a year's worth of requests. either
you are turning off a lot of requests, are combining many requests into
a single rule, or your numbers aren't adding up.

at my place we have 60 or so firewall locations (each with a HA pair of
firewalls), we just did a report from our ticketing systems and find that
we are getting ~10 requests/day for the last year, and have 30,000 or so
rules around the network. it's not fun, but I'm not convinced that a
central management is a magic wand to make the pain go away although some
of my co-workers are)

David Lang
firewall-wizards mailing list

View this message in context:
Sent from the Firewall Wizards mailing list archive at

firewall-wizards mailing list

Relevant Pages

  • RE: [fw-wiz] Vulnerability Response
    ... >> management effort scales with the number of hosts. ... It scales non-linearly if the problem area is well-defined. ... Now - if you're gonna make a firewall policy for 10,000 desktops ... When someone talks about doing mitigation at the host level, ...
  • Re: Firewall Management
    ... there after or deciding on managing the firewall myself. ... have built this firewall management service into their proposal, ... and event log analysis -- not unless you are a very small organization ...
  • Re: Firewall for laptops, corporation with 1,000 laptops
    ... Most laptops are WIn2000 Prof. ... >> Do you recommend any firewall that I can deploy on the network? ... Probably around $30 a seat. ... It too probably has a central management server. ...
  • Re: [fw-wiz] OT: vendors please respond
    ... 1> Exactly what is this firewall supposed to be protecting? ... A separate IDS? ... 10> Do you need centralized management? ... 1> Features you MUST have. ...
  • Re: Checkpoint disaster Recovery
    ... Mike Vore wrote: ... : can backup onto. ... as working systems without the firewall. ... Store the platform configuration elements on the management console. ...