Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall Rule Migration Utilities?

From: "Volker Tanger" <volker.tanger () discon de>
Date: Tue, 11 Dec 2001 18:13:34 +0100
Gretings!
For the ease of understanding: oversimplifying Gauntlet, TIS and Raptor are proxies, whereas Checkpoint (and Pix and other appliances) are packet filters. For this very reason it is harder to convert across these two classes than within (w.g. Gauntlet to Raptor). Just be careful with it - you're in the middle of "best-fit vs. first-match" battleground with Gauntlet->FW1.
Unfortunately I only know of one "migration" tool, which is usable for migration from Raptor to Checkpoint (http://www.wyae.de/software/fwtools.html). This was just a quick hack which only converts the network entities - which helps a lot when migrating a big rulebase and takes off a lot of typo work (and possible typo errors). It does not help with the rules itself though.
As for Checkpoint Firewall-1: the upcoming FW1rules script (same URL) will be able to dump objects and rules into separate tables for further conversion (okay, it already does this, but the usual main output isn't implemented yet). If I get the proper support (e.g. patches) this tool can be used as base for conversions from Checkpoint rulebases.
I have to agree with Chad that any migration is an excellent opportunity to refine, strip down and document the ruleset. I especially recommend to have a manager's signature for each and every rule where they take over responsibility (and accountability) for each and every rule they demand - and be it only to scare off the "utterly important" stuff. 
;-)
From my experience (converting Raptor - Checkpoint - Linux IPtables - SonicWall) it is much easier to start with an empty rulebase and a (signed!) list of business needs - than to erase single "superfluous" rules from a given ruleset. I nearly can guarantee you won't find these obscure interdependencies hidden in the grown^H^H^H^H^Hsprawled ruleset - which can break your neck...
As for a list of converted network objects: they save a lot of typing and (typo) trouble - and are much easier to clean up (just delete the unused) than a(ny) rulebase. 

Good luck!
        Volker

--

Volker Tanger  <volker.tanger () discon de>
 Wrangelstr. 100, 10997 Berlin, Germany
    DiSCON GmbH - Internet Solutions
         http://www.discon.de/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: