Lesson 16: How to Take Control of a Firewall Migration Project

Prof Wool: Firewall Management 201 | Lesson 16: How to Take Control of a Firewall Migration Project Subscribe

Firewall Management 201: Lesson 16

Some companies use tools to automatically convert firewall rules from an old firewall, due to be retired, to a new firewall. In this lesson, Professor Wool explains why this process can be risky and provides some specific technical examples. He then presents a more realistic way to manage the firewall rule migration process that involves stages and checks and balances to ensure a smooth, secure transition to the new firewall that maintains secure connectivity.

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

now when welcome to this course on thermal management 201 i'm professor wolf and this lesson will discuss how to take control of a farm or migration project so imagine you have in your environment a firewall that you need to retire this is purpose purpose firewall perhaps it's already too old and out of support perhaps it's just not keeping up with bandwidth and you need to retire it and replace it with something new and maybe you've got a good deal from the brown caramel vendor and you're going to plan to replace the purple firewall with a brown firewall and the brown vendors offer tells you that they have tools that can take the purple configuration import them into the brown vendors tools and converts them magically into a brown firewall configuration all this in one button click as part of the professional services project and this is the offer that you have in front of you so I'm very skeptical about such offers I think that assuming that this magic button will automatically convert everything to your satisfaction is very very risky because there are some fine details that have to be looked at for instance that let's take a look at this purple firewall if we look at the topology of that purple firewall you can see that perhaps it has three interfaces there's a trust side and unstressed side and a plug side and these are the names of the zone behind the firewall and the rules on the purple firewall which you have a few thousand rely on these on these zones so you have rules from the untrusted on to the trust zone with source any in destination something if you try to convert that to the brown fire world environment you have to take into account also the topology of the brown firewall and if the brown firewall happens to have a different structure perhaps you've decided to really take the network and now you are the ground firewall that only has two sides so it has an inside and outside and the names of these sides are different from the names that were on the purple firewall what the when you convert this purple rule from when you want to write it in the brown configuration language is human the ground configuration topology it's not entirely clear because look you have a source of any that is coming from the untrust zone right so this would mean traffic going from the untrust zone over here and going towards the first zone over there where the 10.1.1.10 what what do you do when you write that in the brown it topology do you write source equals any over here going from outside to inside let's perhaps too much may be the update may be the outside over here really includes the ID addresses in what we used to be called prod because we don't know we haven't decided if you're merging these two zones or these two zones so the conversion is not clear somebody has to make a design choice here and if you use some automatic tool with no intervention then you might end up with a configuration that either risky allowing traffic that you don't want to allow or possibly worse to narrow and not allowing the traffic that you actually need and so functionality will break so assuming that you can do this in one go when you have thousands of these and each one of them potentially requires some salt in some design is a high-risk project what I think makes more sense is to realize that this is going to be a project that has multiple phases and in each phase you want to copy over a chunk of rules not all of them so don't take all in 1,000 or 5,000 rules and assume that you can convert all of them at once but select size chunk sizes that you can actually understand and think about and copy only those reviews and while you're doing it and see if there are any decisions that you need to make like the ones that I'm indicating here and make the decisions on the slide when you're converting the rules and then after you do that review and verify each chunk to see that the pista to visit the 15 rolls that you move in today's chunk actually do in the brown environment exactly what they used to do in the purple environment even though the topology is different of the naming is different than the zone names are different functionality wise the copied rules will do the same thing if you look at it that way then you can say okay we have a thousand rules we're going to be copying over 20 rules every day it's going to take us 50 days to do it if you can handle 200 rules a day then you observe in five days but you at least you have a plan and you can estimate how long it's going to take and you have some assurance that by the end of the project you'll get something that is working to your satisfaction thanks for your attention

Videos

Prof Wool: Firewall Management 201 | Lesson 16: How to Take Control of a Firewall Migration Project Subscribe

Related videos

Lesson 15: How to Synchronize Object Management with a CMDB

Lesson 14: Synchronized Object Management in a...

Sharing Network Security Information with the Wider IT...

Lesson 12: Managing Your Security Policy for Disaster...