Firewall Wizards mailing list archives
Re: Firewall review tool for Junipers
From: "Lloyd, Mike" <drmike () redseal net>
Date: Tue, 27 Apr 2010 08:16:55 -0700 (PDT)
Fair warning - I build a commercial product for firewall and network analysis. I will try to focus on the technical issues raised here. In context of PCI rule assessments: On Fri Apr 23 15:17:30 EDT 2010, David wrote:
Understood, but it's hard to look for changes from 6 months ago in a
GUI.
It's much easier if you can get a report that shows you what has changed so that you can validate the changes.
Yes, and there are several commercial products that can show you a diff for an arbitrary time span, for any flavor of firewall you happen to use. Note, however, that the PCI requirement is not "show that you checked each delta". As written, the reg says you need documentation for every allowed access between the major zones (not just the new ones). That is, the burden is primarily to keep a block of documentation in synch with the block of rules. As such, it's good, but not enough, to just review a 6-month delta list. Also, note that the reg requires review of the ruleset vs the documentation "at least" every six months. The best organizations I've seen manage this on a daily basis! Every change to the rulebase goes right along with a change in the stack of documentation - the two are not allowed to drift. This is a tiny extra effort in a robust change control process, but can be a huge savings when it's assessment time. The tricky part is proving the docs match the network. I've seen companies home-brew this, effectively by trying to prevent any changes outside process and then demonstrating that each change did indeed do what the documentation said. That's tough, so my preferred approach is to throw software, not people, at the task of docs-to-network comparison. (Done right, I claim this is easily the most efficient and lowest labor approach, but the software does end up costing money.)
In the case of Juniper, they have a semi-supported, mostly undocumented XML import/export function that is the only way I know of to get the rulesets into a different tool.
It's true that the lack of a standard for firewall rule description is painful. As many folks here know, firewalls don't even all follow a uniform architecture. (There are the interface-based, zone-based, and central rule styles. And then there's all the gore of order of NAT processing, routing, etc.) For what it's worth, we work with ascii from almost all firewall or router types. That is, we had to just deal with the fact that every syntax is different. (Sometimes - Check Point - there's not even an ascii representation.) We do normalize them all into an XML format, but we haven't released that format or the translators separately. We've discussed releasing it before, but there wasn't a clear community interest. (Largely, we just heard interest from other vendors who could benefit from the effort we've spent to normalize configuration languages!) Do let me know if that's an interesting angle.
XML does not diff well with line-oriented tools, can anyone point at a good tool for looking for differences in XML files?
Sorry, I don't have a great pointer for that. It would make sense. I'm just suggesting there's more to the problem - even neatly cutting out the diffs doesn't really solve the problem of "prove the network matches the documentation". Mike Lloyd Chief Scientist RedSeal Systems, Inc "You can't find a route around a firewall by reading the firewall." _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall review tool for Junipers Wilson (Apr 22)
- Re: Firewall review tool for Junipers Victor Williams (Apr 23)
- Re: Firewall review tool for Junipers david (Apr 26)
- Re: Firewall review tool for Junipers David Hurst (Apr 23)
- <Possible follow-ups>
- Re: Firewall review tool for Junipers Lloyd, Mike (Apr 27)
- Re: Firewall review tool for Junipers Victor Williams (Apr 23)