Over 4000 rules on a firewall...

Started by deanwebb, August 29, 2016, 10:39:06 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

deanwebb

August 29, 2016, 10:39:06 AM
 :zomgwtfbbq: :zomgwtfbbq: :zomgwtfbbq: :zomgwtfbbq: :zomgwtfbbq:

Contractor firm was paid by the rule, apparently... NO GROUPS AT ALL. Every rule is one source, one destination, one service. It's hellacious when it gets to rules permitting AD connections...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

#1
August 29, 2016, 03:15:19 PM
My current gig has something similar. Shitty design to begin with and migrated it to a major service provider. Rulebase was already a huge mess but they just copied it because of time and resource constraints (or laziness, not sure). Somewhere in the middle, someone also thought it would be a good idea to script it  - it wasn't, so they started adding rules with "any" fields to fix it. After six months we got read-only access again. I tried cleaning up some but when I cleaned ten, twenty new ones appeared. Everyone has now given up :mrgreen: I'm sure it would an FTE 3 to 6 months to clean it up, but who would want to do that? :whistle:

deanwebb

#2
August 29, 2016, 03:23:19 PM
^^^ Reasons to get a firewall management system in place.

I hate it when someone adds a duplicate rule, just in case it's not already there and there are too many rules to check.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

#3
August 30, 2016, 06:51:34 AM
duplicate object_groups are the worst.

Object-group network ALL_CLIENT_ACCESS
network x.x.x.x

Object-group network ALL-CLIENT-ACCESS
network x.x.x.x


then ya got 2 ACLs doing the same thing

but I think that's the nature of having firewall managed by multiple people, everyone tends to do what they know.
:professorcat:

My Moral Fibers have been cut.

deanwebb

#4
August 30, 2016, 09:23:22 AM
We're merging rules with common source/destination, source/ports, or destination/ports. Down to around 800 now.

FIREWALL PROTIP: Groups are AMAZING. Use them, why don't you?
:tmyk:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.
Print
Go Up Pages1
User actions