[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: RE: [Sidewinder] exporting acls
From: "Messner, Todd Mr NISO/Lockheed Martin" <Todd.Messner () hqda ! army ! mil>
Date: 2002-02-11 17:44:39
[Download RAW message or body]
Yes, this does help. I particularly appreciate your suggestion #4 that
describes the granular usage of cf acl q to extract service information. A
very good idea.
Thanks to all of you that responded.
-----Original Message-----
From: Josh Archambault [mailto:josh@snowplow.org]
Sent: Sunday, February 10, 2002 3:18 AM
To: Messner, Todd Mr NISO/Lockheed Martin
Cc: 'sidewinder@adeptech.com'
Subject: Re: [Sidewinder] exporting acls
It sort of depends what consitutes unwiedly, but some things that might
help:
1) Netgroups: Use 'em. Love 'em. And don't forget that netgroups
_can_ be members of other netgroups too.
2) Servicegroups: They work like netgroups. On most firewalls I've
worked on, servicegroups cut the existing ACL table by 50% or better
with no difference in security policy enforcement.
3) Comments: Build netgroups and servicegroups that have descriptive
names and use comments (with dates and initials!) that describe
everything you are doing. Plus, if you set about the (tedious) process
of documenting and commenting each ACL, you'll find at least a few that
can be whacked.
4) Remember that the newer (>5.1?) Sidewinder GUI's will let you sort by
any field simply by clicking on it. Don't neglect your command line
tools either. 'cf acl q' will take just about any ACL field as
sub-arguement. 'cf acl q table=acl service=foo' (or even 'cf acl q |
grep -3 foo') is very powerful for tracking down potential overlaps or
conflist.
5) Don't be afraid of negative logic. Use deny ACLs when appropriate to
reduce ACL table size.
Now, I do realize that that doesn't answer your question, but in reality
if your firewall can't handle your policy management tasks there is a
problem. Realistically, you shouldn't have to resort to a third party
tool of any sort to add this functionality. More to the point, I've
seen Sidewinders with thousands of rules and they are manageable through
the GUI without too much pain and from the command line with relative ease.
Kicking feedback back to support@ (or even tomo@ for a little more
direct contact with marketing) when you run into scalablity or usability
problems is not such a bad thing either.
Hope that helps...
-J
Messner, Todd Mr NISO/Lockheed Martin wrote:
> Im trying to logically manage a potentially unwieldy ruleset but
> importing the entries into an Excel spreadsheet of Access database. How
> do all of you manage the rules?
>
> Todd Messner
> Pentagon - NISA-P Firewalls
>
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [Sidewinder] exporting acls</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Yes, this does help. I particularly appreciate your suggestion \
#4 that describes the granular usage of cf acl q to extract service \
information. A very good idea.</FONT></P>
<P><FONT SIZE=2>Thanks to all of you that responded. </FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Josh Archambault [<A \
HREF="mailto:josh@snowplow.org">mailto:josh@snowplow.org</A>]</FONT> <BR><FONT \
SIZE=2>Sent: Sunday, February 10, 2002 3:18 AM</FONT> <BR><FONT SIZE=2>To: Messner, \
Todd Mr NISO/Lockheed Martin</FONT> <BR><FONT SIZE=2>Cc: \
'sidewinder@adeptech.com'</FONT> <BR><FONT SIZE=2>Subject: Re: [Sidewinder] exporting \
acls</FONT> </P>
<BR>
<P><FONT SIZE=2>It sort of depends what consitutes unwiedly, but some things that \
might </FONT> <BR><FONT SIZE=2>help:</FONT>
</P>
<P><FONT SIZE=2>1) Netgroups: Use 'em. Love 'em. And don't forget \
that netgroups </FONT> <BR><FONT SIZE=2>_can_ be members of other netgroups \
too.</FONT> </P>
<P><FONT SIZE=2>2) Servicegroups: They work like netgroups. On most firewalls \
I've </FONT> <BR><FONT SIZE=2>worked on, servicegroups cut the existing ACL table by \
50% or better </FONT> <BR><FONT SIZE=2>with no difference in security policy \
enforcement.</FONT> </P>
<P><FONT SIZE=2>3) Comments: Build netgroups and servicegroups that have \
descriptive </FONT> <BR><FONT SIZE=2>names and use comments (with dates and \
initials!) that describe </FONT> <BR><FONT SIZE=2>everything you are doing. \
Plus, if you set about the (tedious) process </FONT> <BR><FONT SIZE=2>of documenting \
and commenting each ACL, you'll find at least a few that </FONT> <BR><FONT SIZE=2>can \
be whacked.</FONT> </P>
<P><FONT SIZE=2>4) Remember that the newer (>5.1?) Sidewinder GUI's will let you \
sort by </FONT> <BR><FONT SIZE=2>any field simply by clicking on it. Don't \
neglect your command line </FONT> <BR><FONT SIZE=2>tools either. 'cf acl q' \
will take just about any ACL field as </FONT> <BR><FONT SIZE=2>sub-arguement. \
'cf acl q table=acl service=foo' (or even 'cf acl q | </FONT> <BR><FONT SIZE=2>grep \
-3 foo') is very powerful for tracking down potential overlaps or </FONT> <BR><FONT \
SIZE=2>conflist.</FONT> </P>
<P><FONT SIZE=2>5) Don't be afraid of negative logic. Use deny ACLs when \
appropriate to </FONT> <BR><FONT SIZE=2>reduce ACL table size.</FONT>
</P>
<P><FONT SIZE=2>Now, I do realize that that doesn't answer your question, but in \
reality </FONT> <BR><FONT SIZE=2>if your firewall can't handle your policy management \
tasks there is a </FONT> <BR><FONT SIZE=2>problem. Realistically, you shouldn't \
have to resort to a third party </FONT> <BR><FONT SIZE=2>tool of any sort to add this \
functionality. More to the point, I've </FONT> <BR><FONT SIZE=2>seen \
Sidewinders with thousands of rules and they are manageable through </FONT> <BR><FONT \
SIZE=2>the GUI without too much pain and from the command line with relative \
ease.</FONT> </P>
<P><FONT SIZE=2>Kicking feedback back to support@ (or even tomo@ for a little more \
</FONT> <BR><FONT SIZE=2>direct contact with marketing) when you run into scalablity \
or usability </FONT> <BR><FONT SIZE=2>problems is not such a bad thing either.</FONT>
</P>
<P><FONT SIZE=2>Hope that helps...</FONT>
</P>
<P><FONT SIZE=2>-J</FONT>
</P>
<BR>
<BR>
<BR>
<P><FONT SIZE=2>Messner, Todd Mr NISO/Lockheed Martin wrote:</FONT>
</P>
<P><FONT SIZE=2>> Im trying to logically manage a potentially unwieldy ruleset but \
</FONT> <BR><FONT SIZE=2>> importing the entries into an Excel spreadsheet of \
Access database. How </FONT> <BR><FONT SIZE=2>> do all of you manage the \
rules?</FONT> <BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Todd Messner</FONT>
<BR><FONT SIZE=2>> Pentagon - NISA-P Firewalls</FONT>
<BR><FONT SIZE=2>> </FONT>
</P>
<BR>
<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>Sidewinder mailing list</FONT>
<BR><FONT SIZE=2>Sidewinder@adeptech.com</FONT>
<BR><FONT SIZE=2><A HREF="http://mail.adeptech.com/mailman/listinfo/sidewinder" \
TARGET="_blank">http://mail.adeptech.com/mailman/listinfo/sidewinder</A></FONT> </P>
</BODY>
</HTML>
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic