hello and welcome to this course on
firewall management to a while and I'm
professor wool and in this lesson we'll
discuss how the synchronized object
management with a CMDB so let's take a
look at what we have in a typical file
management system so we have a the
firewall is managed by the management
system controlling them and in in these
firewalls we have rules for instance a
rule saying we're allowing traffic from
our networks to these two IP addresses
or these two objects with these names
using the DNS server but this is this
picture of the world is what the
firewall operation team know and
understand however there's also another
repository of data in the organization
which is an inventory or a CMDB a
configuration management database and in
this configuration management database
there are multiple configuration items
that have a name and an IP address and
other various pieces of information that
describe that configuration item and in
that database you might have records
saying for instance that DNS nyc01ba
10005 it's a linux server it's located
in New York City and so on and so forth
and you just happen to notice that this
IP address of this DNS server matches
their give s of this server over here in
this room but the role uses a different
name so on the formal management system
the object names are different than the
object names inside the CMDB just
because these two systems are not they
don't communicate there's nothing
synchronizing the naming across these
two areas now to make this discrepancy
more difficult think what happens when
there is a change request somebody needs
to make a change for instance a change
request might look like this in blue
saying allow as a chance
SNMP from Nik managed to DNS my CEO one
and then Venus and more co2 ok these
names these are the names that the
person making the change request is
familiar with these are the names that
appear in the CMDB there are over here
this is the net managed system this is
where the traffic is supposed to be
coming from ok but the people managing
the firewall don't necessarily
understand these names because they
don't appear in the file management
system so to honor this change request
somebody has to do a translation so
basically look at the change request and
see that the change request refers to a
name which is net man and go over to the
CMDB find out what that name is what IP
address it means and then look in the
file management system to see if there
is an object that matches this IP
address in here somewhere
this of course can be done it's just
slow and error-prone and it would be so
much better if we had a network security
policy management system coordinating
and synchronizing all of this because
then this system could observe the
object names that are maintained in the
file management system and could also
import the information from the CMDB
getting the mapping between the CMDB CI
names and their IP addresses and then
influence the change request processing
so that the names recorded in the change
request automatically get populated with
proper definitions and with all of this
in place you end up with a firewall rule
that would say instead of using names
like this you would get an a firewall
rule that would actually use
understandable names from net manage to
DNS and YC 0 1 with SSH
and this would not work because these
names will now be part of the formal
management system they would be created
on the file management system with
matching definitions so that the what's
in the CMDB and in the firewalls is the
same thank you for your attention
