Firewall Wizards mailing list archives
Re: Firewall review tool for Junipers
From: david () lang hm
Date: Fri, 23 Apr 2010 12:17:30 -0700 (PDT)
On Thu, 22 Apr 2010, Victor Williams wrote:
Having gone through this already, there is no silver bullet for ruleset auditing...it takes human eyes and an explanation on why rulesets are the way they are.
Understood, but it's hard to look for changes from 6 months ago in a GUI. It's much easier if you can get a report that shows you what has changed so that you can validate the changes.
In the case of Juniper, they have a semi-supported, mostly undocumented XML import/export function that is the only way I know of to get the rulesets into a different tool.
XML does not diff well with line-oriented tools, can anyone point at a good tool for looking for differences in XML files?
David Lang
For automated configuration collection and archive, as well as comparison, Kiwi Cattools will handle configurations with select Juniper devices.The only way you're going to be able to audit configurations that a QSA would be fine with is to manually audit them and comment the rulesets--explain why they're needed. Cisco, Secure Computing Sidewinder (now owned by McAfee and going by a different name), etc all allow commenting of access lists. The last gap analysis we had with a QSA who audited our rulesets indicated that our rulesets and justifications would pass an audit because of the completeness of the comments.Hope this helps. On 4/22/2010 10:00 AM, Wilson wrote:Hi there, Just wanted to get some advice from the forum. What tools do you use to perform firewall policies review on Junipers firewall? One of the driver is to comply with PCIDSS. Due to the number of firewalls I hope there is some proven tools out there that can help with things like gathering configs, identify diff in rulesets etc. I am prepared for manual analysis but want to automate as much as possible, especially this will be a recurring tasks. Anyway welcome any open source or commercial suggestions. Thanks heaps for your help. Cheers, Wil _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall review tool for Junipers Wilson (Apr 22)
- Re: Firewall review tool for Junipers Victor Williams (Apr 23)
- Re: Firewall review tool for Junipers david (Apr 26)
- Re: Firewall review tool for Junipers David Hurst (Apr 23)
- <Possible follow-ups>
- Re: Firewall review tool for Junipers Lloyd, Mike (Apr 27)
- Re: Firewall review tool for Junipers Victor Williams (Apr 23)