Firewall Browser Searches Object Hierarchies
Firewall Browser, our recently released free tool, has a very powerful search capability that automatically explores object hierarchies to catch all matching object groups and rules. We often see nested object groups in complex firewalls. Object and rule searches in various management consoles only look at direct matches. They are not capturing the matches that happen at child groups. When a user tries to add new object groups for new security rules, incomplete results can lead to duplicate or overlapping object groups.
Here is an interesting case from a Cisco FWSM firewall:
object-group service ldap-ports udp port-object eq ldap port-object eq ldaps
object-group service netbios-name-ports udp port-object eq 137 port-object eq 138
object-group service domain-controller-udp-ports udp group-object ldap-ports group-object netbios-name-ports
object-group service std-dc-udp-port udp port-object range 137 138 port-object eq ldap port-object eq ldaps
Object group “domain-controller-udp-ports” is exactly the same as object group “std-dc-udp-port”. With the management console, a user has to manually expand child groups with multiple searches to figure this out. Using Firewall Browser, a user can instantaneously view all object groups that match the given criteria (e.g. object name, IP address or service port) no mater how deep the values are hidden in object hierarchies.
The Firewall Browser rule search facility supports object hierarchies as well. In the above example, any access-list rule that refers to “domain-controller-udp-ports” is captured in Firewall Browser if the rule search is against any member object in “ldap-ports” or in “netbios-name-ports”.
You can download Firewall Browser from the Athena Security web site with no license restrictions for end-users.
Tags: Athena Firewall Browser, firewall configuration, rulebase management