• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Firewall configuration baseline - any suggested tool ?

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Firewall configuration baseline - any suggested tool ?

    Hi Fellow contractors,

    My boss asked me to create a baseline of our firewall rules because our Infra is outsourced and we have not collected changes made to the configuration so far. So in brief, it is a big mess. Duplicated RFCs are rised to the outsourced services to open/close ports and we end up losing control over what has been done.

    We want to baseline the rules that are on our firewalls (we have 2) but since we have something like 100 rules in total I was wondering if there are tools to produce a report of all rules/policies in place.

    I am not exactly a network guy (I was a Java developer), so I wonder if there is among you a network guru who can share his/her recommendations and suggest any tools that can automate this procedure. (NOTE: After googling a bit, I found Firemon, but I can't find a demo to download )

    Has anyone a good suggestion to automate this task and maybe some past-experience on how to streamline firewall management ?

    Thank you in advance,

    Z

    #2
    Some clues as to the manufacturer may help...
    World's Best Martini

    Comment


      #3
      And don't say Microsoft ISA server, always sets our security boys in fits of laughter...

      Comment


        #4
        Originally posted by zerointeractive View Post
        Hi Fellow contractors,

        My boss asked me to create a baseline of our firewall rules because our Infra is outsourced and we have not collected changes made to the configuration so far. So in brief, it is a big mess. Duplicated RFCs are rised to the outsourced services to open/close ports and we end up losing control over what has been done.

        We want to baseline the rules that are on our firewalls (we have 2) but since we have something like 100 rules in total I was wondering if there are tools to produce a report of all rules/policies in place.

        I am not exactly a network guy (I was a Java developer), so I wonder if there is among you a network guru who can share his/her recommendations and suggest any tools that can automate this procedure. (NOTE: After googling a bit, I found Firemon, but I can't find a demo to download )

        Has anyone a good suggestion to automate this task and maybe some past-experience on how to streamline firewall management ?

        Thank you in advance,

        Z
        Depends on the kit involved, but most of the decent enterprise level kit should have a built in web management interface with the option to dump a copy of the ruleset to csv file that may or may not have comments against the rule indicating when and why it was implemented.

        From there it's a case of cross referencing the open ports against any associated comments in the report and the original change requests.

        Bt the sounds of you are well and truly stuffed on this one. Outsourced IT. Lack of management oversight (they clearly don't have an in-house security bod since you got lumbered with this), poor / non-existent change control and more than likely the business making it's own change requests without going through the IT dept.
        "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

        Comment


          #5
          We use F5 BigIP firewalls but We don't have access to it in order to dump configuration to CSV.
          Everytime I ask for a dump of the current fw configuration, I receive a HTML tabular output but it is very difficult to maintain.
          Any idea on how a tool may help on that ?

          Comment


            #6
            Originally posted by zerointeractive View Post
            We use F5 BigIP firewalls but We don't have access to it in order to dump configuration to CSV.
            Everytime I ask for a dump of the current fw configuration, I receive a HTML tabular output but it is very difficult to maintain.
            Any idea on how a tool may help on that ?
            Knock up a Java app to strip out the HTML crud and leave you with the data you actually want?
            "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

            Comment


              #7
              Originally posted by DaveB View Post
              Knock up a Java app to strip out the HTML crud and leave you with the data you actually want?
              Yes.. I did that to parse the HTML to Excel, but maintainability is crucial. An Excel file does not prove to be really useful: versioning, sharing, etc.. and then you end up transmitting this file by email. Result = rather insecure.

              Comment


                #8
                Originally posted by zerointeractive View Post
                Yes.. I did that to parse the HTML to Excel, but maintainability is crucial. An Excel file does not prove to be really useful: versioning, sharing, etc.. and then you end up transmitting this file by email. Result = rather insecure.
                You're already dealing with 2nd hand data from a third party thats out of date the day you get it, you have no management control over your firewall configurations and you don't actually know what threats you are exposed to. You have bigger issues than which tool to use or whether to email an excel file or not.

                Do the following:

                1. Apply a change freeze on rule changes.

                2. Get a copy of the current ruleset. Tell the supplier not to apply any changes until further notice (Yes you did that in 1. but do it anyway and make sure they understand).

                3. Go through and check the current rule base against the change requests and challenge any that don't add up.

                4. Get a proper change control process in place and insist that all firewall changes are dealt with via the IT department so you know about them before rather than after implementation.

                5. Make it someones job to manage this process (preferably not you, as a Dev you really don't want to get lumbered with this stuff).

                5. Instruct your supplier in words of one syllable or less that under no circumstances are changes to be made unless they have sign off from a named individual within the IT department who is competent to deal with it. (See 5.)

                6. Instruct the supplier to provide daily rule reports until further notice.

                7. Lift the change freeze.

                8. Reconcile approved changes against the daily reports and make sure inconsistencies are followed up and dealt with.

                9. Repeat 8. until you have confidence in the process.

                10. Change daily reports to monthly and make it BAU to check and reconcile.

                At this point you can think about using tools to automate the process and make life easier. Automating a broken process just automates the cockups.

                Sending a report file in an email is not automatically insecure if you know who the sender and recipient are, know the threats posed and take basic precautions like encrypting the file and sending the password via a different channel. Unless you are the bank of England or similar it's highly unlikely you need more than that. In fact you probably don't need that anyway since the rule set can be enumerated in seconds from the outside just by running a scan against the external IP address and seeing what comes back. Frankly it's easier to do that than it is to identify and intercept a specific email.

                If you are the Bank of England or similar my day rate is very reasonable and I'm available for consultancy.
                "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

                Comment


                  #9
                  Originally posted by DaveB View Post
                  If you are the Bank of England or similar my day rate is very reasonable and I'm available for consultancy.
                  You rock!

                  We have a sort-of-centralized change management, and my team do review and approve all RFCs but what we miss on FW policy is a baseline as a reference to avoid duplicates. We end up running in circles and asking HTML exports from BigIP configuration - which goes under SLA - and then it takes some time to obtain, parse and produce a valid reference.
                  It is a bad situation, but I definitely need a tool to read it, not something I need to maintain it myself otherwise I will be the weakest link in the process.

                  Comment


                    #10
                    Good advice from Dave, if you have edjits running the firewalls then it'll always be a mess and unpicking a large ruleset on a live environment is a lot of work, great for contractors

                    There are tools like Algosec but 100 entries is a relatively small ruleset and probably best with a manual approach.

                    Lots of places use Excel, it's the enterprise database of choice! Wouldn't recommend baselining the policy into it though, gets out of sync and painful. Take the pain of organising the policy on the box properly into sections with headings & put decent descriptions on then put change control on for future. Make sure the policy is being backed up too!
                    Last edited by smatty; 21 January 2014, 14:07.

                    Comment

                    Working...
                    X