Re: [fw-wiz] Firewall review tool for Junipers

Fair warning - I build a commercial product for firewall and network
analysis. I will try to focus on the technical issues raised here.

In context of PCI rule assessments:

On Fri Apr 23 15:17:30 EDT 2010, David wrote:

Understood, but it's hard to look for changes from 6 months ago in a
It's much easier if you can get a report that shows you what has
changed so that you can validate the changes.

Yes, and there are several commercial products that can show you a diff
for an arbitrary time span, for any flavor of firewall you happen to use.

Note, however, that the PCI requirement is not "show that you checked each
delta". As written, the reg says you need documentation for every allowed
access between the major zones (not just the new ones). That is, the
burden is primarily to keep a block of documentation in synch with the
block of rules. As such, it's good, but not enough, to just review a
6-month delta list.

Also, note that the reg requires review of the ruleset vs the
documentation "at least" every six months. The best organizations I've
seen manage this on a daily basis! Every change to the rulebase goes
right along with a change in the stack of documentation - the two are not
allowed to drift. This is a tiny extra effort in a robust change control
process, but can be a huge savings when it's assessment time.

The tricky part is proving the docs match the network. I've seen
companies home-brew this, effectively by trying to prevent any changes
outside process and then demonstrating that each change did indeed do what
the documentation said. That's tough, so my preferred approach is to
throw software, not people, at the task of docs-to-network comparison.
(Done right, I claim this is easily the most efficient and lowest labor
approach, but the software does end up costing money.)

In the case of Juniper, they have a semi-supported, mostly
undocumented XML import/export function that is the only way I know of
to get the rulesets into a different tool.

It's true that the lack of a standard for firewall rule description is
painful. As many folks here know, firewalls don't even all follow a
uniform architecture. (There are the interface-based, zone-based, and
central rule styles. And then there's all the gore of order of NAT
processing, routing, etc.)

For what it's worth, we work with ascii from almost all firewall or router
types. That is, we had to just deal with the fact that every syntax is
different. (Sometimes - Check Point - there's not even an ascii
representation.) We do normalize them all into an XML format, but we
haven't released that format or the translators separately. We've
discussed releasing it before, but there wasn't a clear community
interest. (Largely, we just heard interest from other vendors who could
benefit from the effort we've spent to normalize configuration languages!)
Do let me know if that's an interesting angle.

XML does not diff well with line-oriented tools, can anyone point at a
good tool for looking for differences in XML files?

Sorry, I don't have a great pointer for that. It would make sense. I'm
just suggesting there's more to the problem - even neatly cutting out the
diffs doesn't really solve the problem of "prove the network matches the

Mike Lloyd
Chief Scientist
RedSeal Systems, Inc

"You can't find a route around a firewall by reading the firewall."
firewall-wizards mailing list

Relevant Pages

  • Re: Firewall Best Practices
    ... I say "notices enough to tell anyone", the network behind the firewall might ... If you cannot figure out what a rules does, then study the documentation, ... test the rule or preferably the complete ruleset in an ... ..and keep those logs as long as possible. ...
  • Re: [fw-wiz] What challenges are security admins facing?
    ... On Mon, 26 May 2003, Paul Ammann wrote: ... > I've working on the firewall security audit at my company, ... > security admin are facing. ... Ahh, documentation, the bain of most every IT person. ...
  • [fw-wiz] Need to PAT several Networks on Symantec 7.0 firewall.
    ... I have to reuse an old Symantec 7.0 firewall on NT. ... Looking at the documentation for an SGS ... performs NAT'g really PAT'gi.e. each network is mapped to a particular ip Address. ... How does one implement PAT on a Symantec Firewall? ...
  • Re: firewall
    ... ferm - a firewall rule parser for linux ... (looks like a decent way to learn iptables rule writing, ... last update Jan 23 2007 - looks promising ... documentation is weak (but very few of these products have decent ...
  • Re: Win XP "Firewalled" Connection Indicator
    ... the fitness of the MS firewall if there were any ... But I haven't found any useful documentation at all, ... >> month ago and came with XP Pro. ... >> router, and it does network address translation, then my ...