Firewall Wizards mailing list archives

Re: Firewall Rule Migration Utilities?

From: Avishai Wool <avishai_w () yahoo com>
Date: Tue, 11 Dec 2001 09:21:58 -0800 (PST)

Johann,

You might be able to use the Lumeta Firewall Analyzer (LFA) to
help you out. We've had clients use it in exactly this way:
run the analysis on the firewall being decommissioned, 
generate the report showing exactly what the existing 
firewall was allowing in (and what NAT it was doing), 
then write the policy using the new firewall's tools based on the
LFA report. 

LFA doesn't translate the policy to a new firewall's language, 
but you get a very clear picture of the existing policy, which 
saves many many hours of grunt work.

LFA supports Cisco PIX and Check Point FW-1. So if you're 
decommissioning a Gauntlet, LFA can't help you, but if you're
decommissioning a FW-1 or PIX, you may want to check it out.

Disclaimer: I created what became the Lumeta Firewall Analyzer
as a researcher at Bell Labs, and I work for Lumeta, so I'm obviously
biased. 

Hope this helps,
 Avishai


--- Johann van Duyn <Johann_van_Duyn () bat com> wrote:

Hi, Chad...

Thanks. Your comments on the issue are noted; however, it would save me a
heap of typing if a conversion tool existed. My plan, given such a tool,
would be to convert the rulebase, and then go through it with a fine-tooth
comb to tidy the new rulebase up, remove the fluff and any badly conceived
rules.

Oh well... it seems I'm in for a busy spell. I hate doing real work. :-/

I just wish I were converting the rulebase to a Raptor firewall... gives me
a much warmer feeling inside.

Cheers

-----------------------------------------
Johann van Duyn, CISSP
IT Risk and Security Manager: British American Tobacco South Africa
Stellenbosch, South Africa
Tel. +27 (21) 8883765
Cel. +27 (82) 4588472
Fax. +27 (21) 8838692
E:mail: johann_van_duyn () bat com
-----------------------------------------
"We see things as we are, not as they are." -- Leon Rosten

|--------+----------------------->
|        |          Chad Schieken|
|        |          <cschieken@lu|
|        |          cent.com>    |
|        |                       |
|        |          2001/12/10   |
|        |          22:16        |
|        |                       |
|--------+----------------------->
  >-----------------------------------------------------------------------|
  |                                                                       |
  |       To:     Johann van Duyn <Johann_van_Duyn () bat com>,              |
  |       firewall-wizards () nfr com                                        |
  |       cc:     (bcc: Johann van Duyn/Stellenbosch/ZA/BATCo)            |
  |       Subject:     Re: [fw-wiz] Firewall Rule Migration Utilities?    |
  >-----------------------------------------------------------------------|

I would argue that you don't want a tool to perform this, for several
reasons:

1. This is the perfect time to review your ruleset and determine which
rules are needed and which are not. Going through a process of evaluating
the need for, and owner of,  each rule should provide significant value to
your organization. I'm going to bet that you find things are no longer
needed, should have already been taken out, and possibly a mistake.

2. No two firewall products are alike. I would argue that a Gauntlet
performs it's functions in a way that is unique enough that you wouldn't
want to own a FW-1 with a rulebases converted from Gauntlet. Checkpoint for
instance has the set of policy properties that affect the way rules are
interpreted, that would be difficult to express using the Gauntlet GUI.

I have a colleague who is in the process of shoe-horning a FW-1 into a
space where a Raptor was. He is trying to keep all functionality the same.
You should see the mess of a NAT rulebase he is dealing with.

Thanks,
Chad

At 07:45 AM 12/10/2001, Johann van Duyn wrote:

Hi there...

Is anyone here aware of any firewall rule migration utilities that could
help one to migrate rules from, say, a Gauntlet firewall to a FW-1, or
vice-versa? Something like that could save a person a heck of a lot of
typing when changing firewalls...

Thanks!

-----------------------------------------
Johann van Duyn, CISSP
IT Risk and Security Manager: British American Tobacco South Africa
Stellenbosch, South Africa
Tel. +27 (21) 8883765
Cel. +27 (82) 4588472
Fax. +27 (21) 8838692
E:mail: johann_van_duyn () bat com
-----------------------------------------
"We see things as we are, not as they are." -- Leon Rosten



Confidentiality Notice: The information in this document and
attachments is confidential and may also be legally privileged.
It is intended only for the use of the named recipient. Internet
communications are not   secure and therefore British American
Tobacco does not accept legal responsibility for the contents of
this message. If you are not the intended recipient,please notify us
immediately and then delete this document. Do not disclose the
contents of this document to any other person, nor take any copies.
Violation of this notice may be unlawful.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards




Confidentiality Notice: The information in this document and
attachments is confidential and may also be legally privileged.
It is intended only for the use of the named recipient. Internet
communications are not   secure and therefore British American
Tobacco does not accept legal responsibility for the contents of
this message. If you are not the intended recipient,please notify us
immediately and then delete this document. Do not disclose the
contents of this document to any other person, nor take any copies.
Violation of this notice may be unlawful.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards



=====
Avishai Wool, Ph.D.,  Chief Scientist & Co-Founder, Lumeta Corp.
220 Davidson Ave, 4th Floor, Somerset, NJ 08873, USA
Email: yash () acm org        Web: http://research.lumeta.com/yash/
Phone: (732) 357-3511  Cell: (973) 420-5919  Fax: (732) 564-0731
    ** Want to audit or debug your firewall's policy? **
Lumeta Firewall Analyzer: http://www.lumeta.com/firewall.html

__________________________________________________
Do You Yahoo!?
Check out Yahoo! Shopping and Yahoo! Auctions for all of
your unique holiday gifts! Buy at http://shopping.yahoo.com
or bid at http://auctions.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Firewall Rule Migration Utilities? Johann van Duyn (Dec 10)
- Re: Firewall Rule Migration Utilities? Chad Schieken (Dec 11)
- Re: Firewall Rule Migration Utilities? Inno Eroraha (Dec 13)
- <Possible follow-ups>
- Re: Firewall Rule Migration Utilities? Johann van Duyn (Dec 11)
  - Re: Firewall Rule Migration Utilities? Volker Tanger (Dec 13)
  - Re: Firewall Rule Migration Utilities? Avishai Wool (Dec 13)