|
Firewall Wizards
mailing list archives
Re: Firewall Rule Migration Utilities?
From: "Volker Tanger" <volker.tanger () discon de>
Date: Tue, 11 Dec 2001 18:13:34 +0100
Gretings!
For the ease of understanding: oversimplifying Gauntlet, TIS and Raptor
are proxies, whereas Checkpoint (and Pix and other appliances) are
packet filters. For this very reason it is harder to convert across
these two classes than within (w.g. Gauntlet to Raptor). Just be careful
with it - you're in the middle of "best-fit vs. first-match"
battleground with Gauntlet->FW1.
Unfortunately I only know of one "migration" tool, which is usable for
migration from Raptor to Checkpoint
(http://www.wyae.de/software/fwtools.html).
This was just a quick hack which only converts the network entities -
which helps a lot when migrating a big rulebase and takes off a lot of
typo work (and possible typo errors). It does not help with the rules
itself though.
As for Checkpoint Firewall-1: the upcoming FW1rules script (same URL)
will be able to dump objects and rules into separate tables for further
conversion (okay, it already does this, but the usual main output isn't
implemented yet). If I get the proper support (e.g. patches) this tool
can be used as base for conversions from Checkpoint rulebases.
I have to agree with Chad that any migration is an excellent opportunity
to refine, strip down and document the ruleset. I especially recommend
to have a manager's signature for each and every rule where they take
over responsibility (and accountability) for each and every rule they
demand - and be it only to scare off the "utterly important" stuff.
;-)
From my experience (converting Raptor - Checkpoint - Linux IPtables -
SonicWall) it is much easier to start with an empty rulebase and a
(signed!) list of business needs - than to erase single "superfluous"
rules from a given ruleset. I nearly can guarantee you won't find these
obscure interdependencies hidden in the grown^H^H^H^H^Hsprawled ruleset
- which can break your neck...
As for a list of converted network objects: they save a lot of typing
and (typo) trouble - and are much easier to clean up (just delete the
unused) than a(ny) rulebase.
Good luck!
Volker
--
Volker Tanger <volker.tanger () discon de>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
|
Intro
