Firewall Wizards mailing list archives
Re: Coding a custom firewall manager for multiple firewall brands. Feasible?
From: Marcin Antkiewicz <firewallwizards () kajtek org>
Date: Thu, 2 Jul 2009 17:17:27 -0500
I just want to know whether the task (interfacing part) is do-able or not. The brands of firewalls that I'm handling are checkpoint and sidewinder 7. I don't mind coding out all the stuff but i really have limited product knowledge. Really appreciate any advise or help out there!
It's possible, and done routinely on linux/*BSD/cisco. You would need to make the script architecture-aware, and maintain it's ability to figure out what firewalls sit across the path. Than you need to write out the changes as ofiller/dbedit files or sidewinder scripts, and push them to the firewalls/smart centers via ssh or expect. On checkpoint, dbedit will not install rules when people are logged with rw access, which might be a problem, unless you have/establish fw change windows and kick them out during that time. In my case, user group membership and container (src/dst groups, services) management are the most common tasks. And those can be knocked out first, as stepping stones to full automation. It might just be my experience, but often such projects create a huge and fragmented rulesets, and necessitate development of "optimizing" add-ons. Whatever you do, keep the engine's rule evaluation efficiency in mind. -- Marcin Antkiewicz _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Coding a custom firewall manager for multiple firewall brands. Feasible? david (Jul 01)
- Re: Coding a custom firewall manager for multiple firewall brands. Feasible? plopz (Jul 02)
- Re: Coding a custom firewall manager for multiple firewall brands. Feasible? Marcin Antkiewicz (Jul 03)
- Re: Coding a custom firewall manager for multiple firewall brands. Feasible? plopz (Jul 02)