Friday, July 20, 2012

Firewall rule base documentation and migration tools

Collected this article at here for a reference:
I have recently worked on a number of projects where we needed to document and analyse a Firewall rule base for a customer.  Although much of this process can only really be done by hand (and in your head), ideally much of the hard work can be eliminated, either by using someone else’s (preferably public/open-source) tools or through the re-use of existing templates and scripts.  This not only saves time (and cost for the customer) it frees you up to perform more meaningful activities, like analysing potential security issues (rather than Excel issues).
I thought I’d share some of this experience here, and hopefully will save someone else a little time in the future too.
I should say that while ‘documentation’ is the primary goal here, the tools I mention here do far more than that, each in their own way.  In my case, documentation was the name of the game, as before you can take a pre-existing environment and improve on it, you need to know what you’re dealing with.  And in some cases a customer’s environment can be very difficult to come to grips with on the first pass, either because it was so poorly implemented in the past, or just because nobody bothered to write anything down.
Of course the end-game is about improvement – giving you the ability to migrate from a known (documented) state to a more secure, reliable and available future position.  So hopefully some of these tools will also help you along the way to achieving that.
In my most recent engagement the historical environment was Cisco based – Firewall Services Modules in fact.  The future environment will be on a Check Point platform – with security policies stored in a Smart Center server.  So to some of the tools I’ve been working with:

1. Nipper (

Nipper is an excellent tool.  Taking inputs from a whole range of different devices, it’ll produce a report documenting the state of the configuration, and provide some great feedback on the potential security risks present, and some real best-practice analysis.  Nipper used to be free (v0.12) – but version 1.0 is (and presumably future releases will  be) released under a commercial license. I actually tried to buy a license, but failed at the first hurdle (you have to register and validate your email address, but I never received the email validation – no matter how many times I tried!).    Among all the other great things Nipper can help you with, it can take a Cisco configuration (e.g. PIX or FWSM) and produce a formatted summary of the security rules (identified in the report as Section 3.8. ACL Configuration).  So you go from something like this:
access-list FW_ACL_INTERFACEX extended permit tcp object-group Internal_Hosts object-group External_Hosts object-group WebProtocols-tcp
access-list FW_ACL_INTERFACEX extended permit tcp object-group Mail_Server object-group External_Mail_Relay eq smtp
To something like this (from the text report):
Line, Active, Access, Proto, Source, Src Port, Destination, Dest Port, Time, Log
1, Yes, Permit, tcp, Internal_Hosts, Any, External_Hosts, WebProtocols-tcp, Any, N/A
2, Yes, Permit, tcp, Mail_Server, Any, External_Mail_Relay, smtp, Any, N/A
What’s useful in this output is that the access-list entry is now pre-formatted for you in a comma-delimited form.  If you take this output, and save it as a .CSV, you can easily start to work with the data, manipulating or presenting it as required in something like Excel.  Your ACL will then look something like this:
ACL SpreadsheetSo while this is only a tiny part of the output from a Nipper report, it’s still very useful none-the-less, and can save you some valuable time.
Oh, and Nipper is really fast.  It can take quite a sizeable configuration and produce a report in a matter of a few seconds.  A highly recommended tool…if you can get your hands on it, that is ;-)

2. Check Point ConfWiz

Primarily designed as a migration tool, one which helps to ease the burden of migrating from other security appliances (e.g. Cisco PIX) to a Check Point firewall infrastructure, ConfWiz is also quite useful for batch object creation and manipulation.  Additionally, it can be used to help in the documentation effort, if you can get some value out of the XML files that it creates as intermediary data stores.  ConfWiz is available in the Check Point Support Center sk41719 (Also see sk42302 for bulk object creation – login required).
You can run ConfWiz against a Cisco configuration, and output the results to XML (with no connection to a Smart Center required) using a command similar to this:
cp_migrator.exe -i "InputCiscoConfiguration.txt" -offline -no-netobj-linking -no-service-linking -prefix Cisco1
Note: ConfWiz is currently quite limited in what it will import – FWSM 2.3 and PIX 6.3.  If you have anything greater than that you may run into similar problems that I did, meaning the XML files it outputs (fw_policies.xml in particular) are next to useless.  Hopefully they’ll add wider source support in future versions.

3. Object Filler & Dumper

An oldy but a goodie, Object Filler 2.4 is a very useful tool.  Not only can it help with import and export, bulk object creation etc (although unsupported by Check Point) it can also assist with migration from other security appliance configurations to a Check Point environment (Cisco PIX, Cisco Routers, Juniper/NetScreen, Symantec Raptor, Gauntlet and SideWinder firewalls).
Section 5.3 of the tutorial that comes with the download contains all the info you’ll need.
If you run the ofiller command line against a Cisco PIX/FWSM configuration, it will produce a Check Point compatible rule base in CSV format (handy when migrating from PIX to Firewall-1).  But once again, if documentation is your goal, you can use that CSV file in Excel as a nicely formatted and easily filterable security policy.  Of course if you want to continue on and use this tool for importing the resultant files, you can complete the migration process and start working with the new objects & firewall rules using Smart Dashboard.

4. Check Point Web Visualization Tool (WebVis)

The Check Point Web Visualization Tool (available here) is great for presenting a printed (hard-copy) report of your Check Point firewall rule bases.  Even if you don’t present the full report in printed form, it represents a nice ‘point-in-time’ view of a customer’s Check Point security policy, in an offline form – so you don’t need to have direct access to the Smart Center server while reviewing the rule base, for security issues etc.  The WebVis tool produces reports in two forms:
1. Simplified Format – Single report in HTML form.  Example command line:
cpdb2html.bat C:\$\WebVisDirectory C:\$\webvisoutput FWUSER PASSWORD  -o RulebaseReport.html
2. Advanced Format – Multiple XML files created.  Can view results using XSL file, or anything else that will open .XML files. Example command line:
cpdb2web -s -u FWUSER -p PASSWORD -o C:\$\webvisoutput -c -w C:\$\WebVisDirectory
I usually run both reports, as then you have the option of working with both static HTML output and the XML files.

5. Excel Spreadsheets for documentation

FINAO IP SpreadsheetTypically when I complete a network implementation project I’ll leave the customer with a well document IP Addressing spreadsheet, among other things.  So having a good standard for presenting and managing IP addresses is an important part of the tool kit.  When documenting a customer’s existing network and security infrastructure however, it is sometimes useful to have tools to categorise and re-format IP addresses and subnets.  So I have put together an IP Address Reference spreadsheet, which includes a few formulas that may save you some time in the future, and a couple of ‘reference’ sheets that I find useful for inclusion as part of an IP Addressing plan – to aid subnetting and network allocation, for example.
1. The first sheet ‘IP-Octet’ contains a couple of tables that you can re-use, or hack around, that simply splits out an IP address in dotted-decimal form to the four IP octets.  You can then use the table filters to categorise or sort IP addresses by network etc.
2. The second sheet ‘IP-Subnet’ takes an input of IP address and subnet mask and outputs the IP Subnet of which that IP address is a member. Again pretty simple, but could save someone some time in putting this together in the future.
Feel free to download and work with this spreadsheet as you like (Note: There are no macros or anything in the spreadsheet, formulas only, so it’s pretty safe to use)."

No comments: