Lesson 9: How to Structure Network Objects to Plan for Future Policy Growth

Prof Wool: Firewall Management 201 | Lesson 9: How to Structure Network Objects to Plan for Future Policy Growth Subscribe

Firewall Management 201: Lesson 9
In this lesson, Professor Wool explains how you can create templates - using network objects - for different types of services and network access which are reused by many different servers in your data center. Using this technique will save you from writing new firewall rules each time you provision or change a server, reduce errors, and allow you to provision and expand your server estate more quickly.

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

hello and welcome to security management 201 I am professor wool and today we're going to be talking about how to structure and network objects to plan for future policy growth so imagine that you need to you have servers in your data center you could probably categorize your that your servers according to multiple criteria such as the operating system that they're using maybe it's a linux server the function that they're playing so maybe it's a MySQL database the zone the network segment that the server is going to be located in so maybe it's in the blue zone now each one of these categories actually implies the requirement for certain types of network access for instance if it's a linux server then you probably want these types of access so you want to allow DNS access you want to allow SSH for the IT administrators to access that device whereas if it were a Windows server then you would require other types of access similarly if it's a database server then you would probably need SQL nets access from the DBA workstations and if it's placed in the blue zone then you want to allow access from the blue zone security operating system Center so that they can troubleshoot so categorization implies network access in many cases what you can do is use your firewall management platform to construct templates that implement these relationships and to do that you would use your vendors network object definitions so most firewall vendors in their management platform let you define named objects and then you could define an object for let's say your Linux servers and list all the IP addresses of all the Linux servers that you have in your data center similarly you have a definition called the DB servers and lists all the IP addresses of the database servers that you have in your data center you can of course have the same ip address appear in multiple different objects because one server is both a Linux server and the database server and something else once you have these network objects defined you write your rules according to the templates of access that you need so you would have a predefined rule allowing access from all the Linux servers to the corporate DNS using DNS and you allow the IT staff to access the Linux servers using SSH and so on and so forth and the advantage of writing your policy this way using network objects that come from these categories is that when you have a new server being added to your data center what you really need to do is just to add the IP address to the appropriate objects and if you've done that correctly then you don't need to touch the policy rules because they're already in place and all the network access that is required because it's a linux server because it's in the blue zone all that access is already baked into the firewall policy rules which means that you have to do less work and your policy is more compact and allows you to grow more quickly now there's a couple of things that you need to bear in mind if you start using this kind of structure the first is discipline you really need to be disciplined in how you put in rules in your firewalls and make sure all the team members are aware of the mapping between let's say operating system category to the object name in the database so that when the new server is added they remember to add that IP address to that predefined Network object rather than just add more rules to the policy so discipline and training of staff is important a bigger challenge sometimes is what happens when you have a multi multi vendor environment so if you have firewalls from different vendors each each vendor supplies their own firewall policy management platform and typically you cannot share Network object definitions across vendors so if you want to use this type of template approach you really need to define your Linux servers object once on vendor number one and again on vendor number two preferably using the same name and it's really important to get the content exactly the same on all systems otherwise you get diverging definitions and the rules will not be consistent and you've lost the advantage that you're trying to achieve so if you have a multi vendor environment as many organizations do then of course you need even more discipline and you also might want to consider third party tools that are multi vendor inherently and can let you see a holistic view of all the definitions of all Network objects across your whole estate and with such assistance you can get the same results and have something automated ensure that you don't make mistakes thank you for your attention and see you next time

Videos

Prof Wool: Firewall Management 201 | Lesson 9: How to Structure Network Objects to Plan for Future Policy Growth Subscribe

Related videos

Lesson 15: How to Synchronize Object Management with a CMDB

Lesson 16: How to Take Control of a Firewall Migration...

Lesson 14: Synchronized Object Management in a...

Sharing Network Security Information with the Wider IT...