Lesson 3: Using Object Naming Conventions to Reduce Firewall Management Overhead

Prof Wool: Firewall Management 201 | Lesson 3: Using Object Naming Conventions to Reduce Firewall Management Overhead Subscribe

Firewall Management 201: Lesson 3
In this lesson, Professor Wool offers some recommendations for simplifying firewall management overhead by defining and enforcing object naming conventions.
Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

hello and welcome to this week's security management course I'm professor wool today we're going to be talking about firewall object namings so what's the story assume you have a server in your environment and this is its identity card this is a CMDB record so it has an IP address 10 dot 3.0 that one has a DNS name give heed Acme comm it is located in the DFW data center and it is a server type it's it's server type is database so you have this system over there in the data center and now you need to put in firewall rules that refer to this server and allow traffic to and from it so how are people going to write the rules that refer to this this server so it really depends on how the firewall met are managed and and what the fire won't vendor lets you do so some firewall vendors let you use the DNS name so people might write rules that refer to DB equal com other firewall vendors require we require you to define objects and give them name so an engineer might call that server in a rule you might call it IP dash and then put the IP address some other engineer might realize that this is a database center database server and give it a name DB just for convenience and each engineer might have their own way of calling things and you could have many of these all referring to the same server now the problem gets worse if you have a diverse environment and you have firewalls made by different vendors because each vendor has their own rules and how you can call things and let's say on firewall B you might have to write access lists and refire refer to that server using some syntax like holes and the IP address or something else so the result of all of these different ways of calling the same server is management clutter and this is bad because it makes managing these threes rules across all your final estates more complicated more error-prone and you want to avoid it and part of the reason why this is happening is that unfortunately almost none of the major firewall vendors give us a capability of reverse lookup so if we have an IP address we don't have a convenient way of discovering what objects exist on the firewall that refer to that IP address and then people do their own thing and you end up in a situation where you have duplicates so what can you do to reduce this problem so I can suggest a few theif you tips that you could follow the first is to clean up you could use software to process your firewall rules and search for duplicate definitions find multiple objects with different names that refer to the same IP address report on them and then standardize and clean them up so that's definitely a good idea to get to a nice steady baseline the second thing that you can do is to define a naming convention so this is a process-oriented solution where you decide how you want to call things and you could use as an idea you could use names that begin with a data center name and then something about the server type and then maybe the IP address and that's going to be the officially sanctioned a m-- in firewall rules for this server if you decide that this is your naming convention and you educate and train your firewall engineers to always use the same naming convention then they will reuse the same definition over and over and not create duplicates because when they decide to create a rule that refers to an object that already exists they will automatically pick the right name for it and if the object is already there they will find it and once you have a naming convention like this or something that you invent the next thing is to enforce it enforce the convention here again you can use software to help you if you have a change management system perhaps you can program it to automatically recommend using properly formatted names when a change request is made or perhaps you can configure it to validate user-defined names and make sure that the names fit the convention so you can do this in different ways if you follow these steps you're already in a good place both in terms of cleaning up the old history and in making sure that going forward you're not making the problem any worse instead you're making it better thank you for your attention

Videos

Prof Wool: Firewall Management 201 | Lesson 3: Using Object Naming Conventions to Reduce Firewall Management Overhead Subscribe

Related videos

Lesson 15: How to Synchronize Object Management with a CMDB

Lesson 16: How to Take Control of a Firewall Migration...

Lesson 14: Synchronized Object Management in a...

Sharing Network Security Information with the Wider IT...