I have recently worked on a number of projects where we needed to document and analyse a Firewall rule base for a customer. ¬†Although much of this process can only really be done by hand (and in your head), ideally much of the hard work can be eliminated, either by using someone else’s (preferably public/open-source) tools or through the re-use of existing templates and scripts. ¬†This not only saves time (and cost for the customer) it frees you up to perform more meaningful activities, like analysing potential security issues (rather than Excel issues).
I thought I’d share some of this experience here, and hopefully will save someone else a little time in the future too.
I should say that while ‘documentation’ is the primary goal here, the tools I mention here do far more than that, each in their own way. ¬†In my case, documentation was the name of the game, as before you can take a pre-existing environment and improve on it, you need to know what you’re dealing with. ¬†And in some cases a customer’s environment can be very difficult to come to grips with on the first pass, either because it was so poorly implemented in the past, or just because nobody bothered to write anything down.
Of course the end-game is about improvement – giving you the ability to migrate from a known (documented) state to a more secure, reliable and available future position. ¬†So hopefully some of these tools will also help you along the way to achieving that.
Continue reading Firewall rule base documentation and migration tools