[fw-wiz] Coding a custom firewall manager for multiple firewall brands. Feasible?

Marcin Antkiewicz firewallwizards at kajtek.org
Wed Jul 1 01:54:58 EDT 2009

> I'd just recently got an extra job role as a firewall administrator and I'm
> faced with a network that consists of multitudes of firewall brands (nokia,
> sidewinder etc. ) bulging with almost 3000+ rules. The networks are also
> segmented and structured in such a way that adding a new path from one host
> to another services requires multiple entries into various firewalls that
> are in the path. As the requests for new connectivity come in hundreds or
> more per week, I feel that the current implementation is not really
> scalable. (manual data entries into firewalls and fight-fire
> trouble-shooting :(

I am in a similar situation, with an environment that has more
firewalls than sensible
people will report as a count of their fw rules.

Form my experience, you will find software that will analyse the
aggregate of your
ruleset without _much_ trouble. Tuffin, FireMon, BMC Patrol, yada
yada. Some are better,
some are crufty but, if your goal is to get "rule masking" or some
policy warnings,
that will work fine.

Playbook seems quite nice for CLI managed devices, but they do not
support Checkpoint.
Opsec CPMI promises remote access to the databases which, in theory
would allow 3rd
party rule management, but I was not able to find anyone who sells
such product. On the
other hand, my attempts to get LEA to work, and a few
less-than-vanilla upgrades destroyed
whatever hope I had for this fine product line (OPSEC and whatever
else comes from CheckPoint).

Marcin Antkiewicz

More information about the firewall-wizards mailing list