Re: [fw-wiz] Coding a custom firewall manager for multiple firewall brands. Feasible?

I just want to know whether the task (interfacing part) is do-able or not.
The brands of firewalls that I'm handling are checkpoint and sidewinder 7. I
don't mind coding out all the stuff but i really have limited product
knowledge. Really appreciate any advise or help out there!

It's possible, and done routinely on linux/*BSD/cisco.

You would need to make the script architecture-aware, and maintain
it's ability to figure out what firewalls sit across the path.

Than you need to write out the changes as ofiller/dbedit files or
sidewinder scripts, and
push them to the firewalls/smart centers via ssh or expect.

On checkpoint, dbedit will not install rules when people are logged
with rw access,
which might be a problem, unless you have/establish fw change windows and kick
them out during that time.

In my case, user group membership and container (src/dst groups, services)
management are the most common tasks. And those can be knocked out first, as
stepping stones to full automation.

It might just be my experience, but often such projects create a huge
and fragmented
rulesets, and necessitate development of "optimizing" add-ons. Whatever you do,
keep the engine's rule evaluation efficiency in mind.

Marcin Antkiewicz
firewall-wizards mailing list

Relevant Pages

  • RE: [fw-wiz] Firewalls v. Router ACLs
    ... So thousands of ACL logs per second can ratchet your processor ... CheckPoint AI and NG have far superior higher level packet inspection ... am I using these firewalls to protect against ...
  • Re: [fw-wiz] Secure Computing Sidewinder?
    ... We are moving off Sidewinder G2 solely because of the price. ... I am also impressed with the Sidewinders credentials, I was googling and found a few links about "meshnet" where they're basically putting the things in tanks as firewalls for battlefield communications systems - I know companies like to exaggerate their credentials but that one does seem pretty impressive. ... I also take the point about ISA Server basically being Windows with a firewall "bolted on", ...
  • Re: Sex, Lies and Firewalls (need firewall advice for Win2KServer. ZA?)
    ... > Don't know about our budget or needs, but if its for personel use ... > build a Unix machine and run their free statefull FW. ... > take a look at Nokia IP firewalls with CheckPoint Firewall-1 Small ...
  • RE: ISA firewall
    ... > but they have their own platform of linux called Checkpoint ... > dont go with the developers of stateful inspection who are ... > I consider hardware firewalls a system that is dedicated to firewalls ...
  • Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
    ... > same rule set and software on it for 3+ years are even more likely to have> flawed configs. ... I think it would be interesting to know what type of group of was responsible for managing the firewalls in the study. ... I am moving an account off of a Checkpoint being managed by a services organization onto a PIX platform - and I have been surpised by the permissiveness, and redundancy, in the "managed" ruleset. ...