Re: Firewall review tool for Junipers

["Lloyd, Mike" <drmike () redseal net>]

Fair warning - I build a commercial product for firewall and network
analysis.  I will try to focus on the technical issues raised here.

In context of PCI rule assessments:

On Fri Apr 23 15:17:30 EDT 2010, David wrote:

> Understood, but it's hard to look for changes from 6 months ago in a
GUI. 
> It's much easier if you can get a report that shows you what has 
> changed so that you can validate the changes.

Yes, and there are several commercial products that can show you a diff
for an arbitrary time span, for any flavor of firewall you happen to use.

Note, however, that the PCI requirement is not "show that you checked each
delta".  As written, the reg says you need documentation for every allowed
access between the major zones (not just the new ones).  That is, the
burden is primarily to keep a block of documentation in synch with the
block of rules.  As such, it's good, but not enough, to just review a
6-month delta list.

Also, note that the reg requires review of the ruleset vs the
documentation "at least" every six months.  The best organizations I've
seen manage this on a daily basis!  Every change to the rulebase goes
right along with a change in the stack of documentation - the two are not
allowed to drift.  This is a tiny extra effort in a robust change control
process, but can be a huge savings when it's assessment time.  

The tricky part is proving the docs match the network.  I've seen
companies home-brew this, effectively by trying to prevent any changes
outside process and then demonstrating that each change did indeed do what
the documentation said.  That's tough, so my preferred approach is to
throw software, not people, at the task of docs-to-network comparison.
(Done right, I claim this is easily the most efficient and lowest labor
approach, but the software does end up costing money.)

> In the case of Juniper, they have a semi-supported, mostly 
> undocumented XML import/export function that is the only way I know of 
> to get the rulesets into a different tool.

It's true that the lack of a standard for firewall rule description is
painful.  As many folks here know, firewalls don't even all follow a
uniform architecture.  (There are the interface-based, zone-based, and
central rule styles.  And then there's all the gore of order of NAT
processing, routing, etc.)

For what it's worth, we work with ascii from almost all firewall or router
types.  That is, we had to just deal with the fact that every syntax is
different.  (Sometimes - Check Point - there's not even an ascii
representation.)  We do normalize them all into an XML format, but we
haven't released that format or the translators separately.  We've
discussed releasing it before, but there wasn't a clear community
interest.  (Largely, we just heard interest from other vendors who could
benefit from the effort we've spent to normalize configuration languages!)
Do let me know if that's an interesting angle.

> XML does not diff well with line-oriented tools, can anyone point at a 
> good tool for looking for differences in XML files?

Sorry, I don't have a great pointer for that.  It would make sense.  I'm
just suggesting there's more to the problem - even neatly cutting out the
diffs doesn't really solve the problem of "prove the network matches the
documentation".


Mike Lloyd
Chief Scientist
RedSeal Systems, Inc

"You can't find a route around a firewall by reading the firewall."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards