Firewall Wizards mailing list archives
Re: sanity rule checker for fw-1
From: Gregory Austin <gaustin () rkon com>
Date: Mon, 06 Aug 2001 14:03:37 -0500
I've been making a concerted effort lately to tidy up some of the little tools I've created for myself and toss them up on the web. One of those tools is a little C program I scribbled up that parses your CP rulebase and objects and makes an html version for off-line viewing. I spend a fair amount of time auditing, and it's nice to be able to view a CP rulebase offline. I'd found the perl scripts already out there that do this, but I ended up wanting to add some features and fix some bugs and since I'm not a big fan of doing anything in perl I ended up tossing it together in C. So when I saw your msg on the list I thought, "Hey, I could add something like that to cp2html". But when I started thinking about it I realized that it would take some thought to be useful:
1. What things would you want warnings for? (no stealth rule? no logging on drop rule? unnecessary two-way pipes? recommend grouping objects for clarity in rules that have more than x objects listed as source or dest?) 2. How would you keep from having an excessive number of false positives? (Or would you care? Maybe just having a list of advice that you could skim through and ignore the fp's would be fine.) 3. Where would you want to put the warnings? My proggie parses the files and creates a simulation (in html) of the way the rules actually look in the policy editor, along with a linked dictionary of objects. I could easily modify it to think about the rules a little but where would you want the notes. Maybe displayed with the rules? Or would you want to just have an extra file dumped that lists potential issues?
Anyway, if you (or anybody else interested) can lay out in better detail what types of rules you'd like to see flagged I can throw something together for you (time permitting). I was hoping to tidy up cp2html and then toss it up on my site this weekend anyway. (check http://www.securityweasel.com/tools.html to see some of my nmap & nmapnt stuff)
Have fun, GregP.S. Some of the rule bases I've seen would make you cringe. 100+ rules and around a gazillion objects, tons of overlap and out-dated items, with little or no maintenance ever having been done.
At 02:56 PM 8/2/2001 -0500, dirtbag wrote:
first thanks this list is great. I am looking for sanity checker for a checkpoint rule base. ie. flag a rule that is created as a two way rule where one way is only required for known services http,ldap etc..... thanks again _____________________________________________ Free email with personality! Over 200 domains! http://www.MyOwnEmail.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- sanity rule checker for fw-1 dirtbag (Aug 04)
- Re: sanity rule checker for fw-1 Gregory Austin (Aug 06)
- <Possible follow-ups>
- RE: sanity rule checker for fw-1 Stiennon,Richard (Aug 05)
- RE: sanity rule checker for fw-1 Avishai Wool (Aug 07)