Good advice from Dave, if you have edjits running the firewalls then it'll always be a mess and unpicking a large ruleset on a live environment is a lot of work, great for contractors
There are tools like Algosec but 100 entries is a relatively small ruleset and probably best with a manual approach.
Lots of places use Excel, it's the enterprise database of choice! Wouldn't recommend baselining the policy into it though, gets out of sync and painful. Take the pain of organising the policy on the box properly into sections with headings & put decent descriptions on then put change control on for future. Make sure the policy is being backed up too!
- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Collapse
You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:
- You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
- You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
- If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
Logging in...
Previously on "Firewall configuration baseline - any suggested tool ?"
Collapse
-
Originally posted by DaveB View PostIf you are the Bank of England or similar my day rate is very reasonable and I'm available for consultancy.
We have a sort-of-centralized change management, and my team do review and approve all RFCs but what we miss on FW policy is a baseline as a reference to avoid duplicates. We end up running in circles and asking HTML exports from BigIP configuration - which goes under SLA - and then it takes some time to obtain, parse and produce a valid reference.
It is a bad situation, but I definitely need a tool to read it, not something I need to maintain it myself otherwise I will be the weakest link in the process.
Leave a comment:
-
Originally posted by zerointeractive View PostYes.. I did that to parse the HTML to Excel, but maintainability is crucial. An Excel file does not prove to be really useful: versioning, sharing, etc.. and then you end up transmitting this file by email. Result = rather insecure.
Do the following:
1. Apply a change freeze on rule changes.
2. Get a copy of the current ruleset. Tell the supplier not to apply any changes until further notice (Yes you did that in 1. but do it anyway and make sure they understand).
3. Go through and check the current rule base against the change requests and challenge any that don't add up.
4. Get a proper change control process in place and insist that all firewall changes are dealt with via the IT department so you know about them before rather than after implementation.
5. Make it someones job to manage this process (preferably not you, as a Dev you really don't want to get lumbered with this stuff).
5. Instruct your supplier in words of one syllable or less that under no circumstances are changes to be made unless they have sign off from a named individual within the IT department who is competent to deal with it. (See 5.)
6. Instruct the supplier to provide daily rule reports until further notice.
7. Lift the change freeze.
8. Reconcile approved changes against the daily reports and make sure inconsistencies are followed up and dealt with.
9. Repeat 8. until you have confidence in the process.
10. Change daily reports to monthly and make it BAU to check and reconcile.
At this point you can think about using tools to automate the process and make life easier. Automating a broken process just automates the cockups.
Sending a report file in an email is not automatically insecure if you know who the sender and recipient are, know the threats posed and take basic precautions like encrypting the file and sending the password via a different channel. Unless you are the bank of England or similar it's highly unlikely you need more than that. In fact you probably don't need that anyway since the rule set can be enumerated in seconds from the outside just by running a scan against the external IP address and seeing what comes back. Frankly it's easier to do that than it is to identify and intercept a specific email.
If you are the Bank of England or similar my day rate is very reasonable and I'm available for consultancy.
Leave a comment:
-
Originally posted by DaveB View PostKnock up a Java app to strip out the HTML crud and leave you with the data you actually want?
Leave a comment:
-
Originally posted by zerointeractive View PostWe use F5 BigIP firewalls but We don't have access to it in order to dump configuration to CSV.
Everytime I ask for a dump of the current fw configuration, I receive a HTML tabular output but it is very difficult to maintain.
Any idea on how a tool may help on that ?
Leave a comment:
-
We use F5 BigIP firewalls but We don't have access to it in order to dump configuration to CSV.
Everytime I ask for a dump of the current fw configuration, I receive a HTML tabular output but it is very difficult to maintain.
Any idea on how a tool may help on that ?
Leave a comment:
-
Originally posted by zerointeractive View PostHi Fellow contractors,
My boss asked me to create a baseline of our firewall rules because our Infra is outsourced and we have not collected changes made to the configuration so far. So in brief, it is a big mess. Duplicated RFCs are rised to the outsourced services to open/close ports and we end up losing control over what has been done.
We want to baseline the rules that are on our firewalls (we have 2) but since we have something like 100 rules in total I was wondering if there are tools to produce a report of all rules/policies in place.
I am not exactly a network guy (I was a Java developer), so I wonder if there is among you a network guru who can share his/her recommendations and suggest any tools that can automate this procedure. (NOTE: After googling a bit, I found Firemon, but I can't find a demo to download )
Has anyone a good suggestion to automate this task and maybe some past-experience on how to streamline firewall management ?
Thank you in advance,
Z
From there it's a case of cross referencing the open ports against any associated comments in the report and the original change requests.
Bt the sounds of you are well and truly stuffed on this one. Outsourced IT. Lack of management oversight (they clearly don't have an in-house security bod since you got lumbered with this), poor / non-existent change control and more than likely the business making it's own change requests without going through the IT dept.
Leave a comment:
-
And don't say Microsoft ISA server, always sets our security boys in fits of laughter...
Leave a comment:
-
Firewall configuration baseline - any suggested tool ?
Hi Fellow contractors,
My boss asked me to create a baseline of our firewall rules because our Infra is outsourced and we have not collected changes made to the configuration so far. So in brief, it is a big mess. Duplicated RFCs are rised to the outsourced services to open/close ports and we end up losing control over what has been done.
We want to baseline the rules that are on our firewalls (we have 2) but since we have something like 100 rules in total I was wondering if there are tools to produce a report of all rules/policies in place.
I am not exactly a network guy (I was a Java developer), so I wonder if there is among you a network guru who can share his/her recommendations and suggest any tools that can automate this procedure. (NOTE: After googling a bit, I found Firemon, but I can't find a demo to download )
Has anyone a good suggestion to automate this task and maybe some past-experience on how to streamline firewall management ?
Thank you in advance,
ZTags: None
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Streamline Your Retirement with iSIPP: A Solution for Contractor Pensions Sep 1 09:13
- Making the most of pension lump sums: overview for contractors Sep 1 08:36
- Umbrella company tribunal cases are opening up; are your wages subject to unlawful deductions, too? Aug 31 08:38
- Contractors, relabelling 'labour' as 'services' to appear 'fully contracted out' won't dupe IR35 inspectors Aug 31 08:30
- How often does HMRC check tax returns? Aug 30 08:27
- Work-life balance as an IT contractor: 5 top tips from a tech recruiter Aug 30 08:20
- Autumn Statement 2023 tipped to prioritise mental health, in a boost for UK workplaces Aug 29 08:33
- Final reminder for contractors to respond to the umbrella consultation (closing today) Aug 29 08:09
- Top 5 most in demand cyber security contract roles Aug 25 08:38
- Changes to the right to request flexible working are incoming, but how will contractors be affected? Aug 24 08:25
Leave a comment: