And then I said "I understand what it is doing, and if you have questions,
ask me or go take the FW-1 class yourself."
A while back a higher-up wanted to have every rule explained to him, and
then asked me to redo the rule-set so it made sense to him. I eventually
persuaded him that he didn't need to understand the rules, just the policy
- he agreed after detailed explanations of the first 19 rules. Made life
much easier on both of us.
The problem that leaves is that I understand what the rules are doing, but
not necessarily what the firewall is doing. Recent example: about 1% of
ftp transfers were being blocked by the firewall, contrary to the FW-1 rule
set. I think it was that known problem with ftp data ports being the same
as defined ports so the transfer was blocked. No matter how well I could
explain all the objects and rules, that bug would never have appeared in
any analysis.
To test what actually happens, someone else should have a copy of the
policy and they should dream up ways to test it by making connections
through the firewall - without any input from you, as that can skew the
results.
After all that, there are a number of useful perl scripts on
http://www.phoneboy.com/fw1/, some of which probably do exactly what you want.
hermit1
At 02:48 PM 7/3/00 +0100, [EMAIL PROTECTED] wrote:
>We don't understand what our firewall is doing.....they said.
>We need to understand what our firewall is doing.....they said.
>Make it so.....they said.
>
>So, what's needed here is a tool that can take the objects and rules files
>apart and generate a readable report.
>
>Any takers?
>Steve Pollard
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
