Re: Coding a custom firewall manager for multiple firewall brands. Feasible?

[Marcin Antkiewicz <firewallwizards () kajtek org>]

> I just want to know whether the task (interfacing part) is do-able or not.
> The brands of firewalls that I'm handling are checkpoint and sidewinder 7. I
> don't mind coding out all the stuff but i really have limited product
> knowledge. Really appreciate any advise or help out there!

It's possible, and done routinely on linux/*BSD/cisco.

You would need to make the script architecture-aware, and maintain
it's ability to figure out what firewalls sit across the path.

Than you need to write out the changes as ofiller/dbedit files or
sidewinder scripts, and
push them to the firewalls/smart centers via ssh or expect.

On checkpoint, dbedit will not install rules when people are logged
with rw access,
which might be a problem, unless you have/establish fw change windows and kick
them out during that time.

In my case, user group membership and container (src/dst groups, services)
management are the most common tasks. And those can be knocked out first, as
stepping stones to full automation.

It might just be my experience, but often such projects create a huge
and fragmented
rulesets, and necessitate development of "optimizing" add-ons. Whatever you do,
keep the engine's rule evaluation efficiency in mind.

--
Marcin Antkiewicz
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards