Network and service objects are often used by firewall engineers in firewall policy implementation. For a network environment with a large number of firewalls, it is highly recommended that all common objects across the firewall inventory be standardized. Without standardization, the same objects can be created in different firewalls for commonly used services or IP addresses, or worse the same object name can be associated with different object definitions. Objects with the same name but different definitions (called Conflict Objects) can cause configuration errors. Objects with different names but the same definition (called Redundant Objects) unnecessarily increase the size of an object library, and can cause redundant rules in the configuration.

Object standardization involves the following steps applied across all the firewalls in the inventory:

1. Find all objects from all firewalls in the inventory
2. Identify conflicting and redundant objects based on object name and definition
3. Renaming an object
4. Replacing redundant objects with a single object
5. Replacing an object with  another object
6. Splitting an object into smaller objects
7. Resolving conflicts between objects
8. Updating all configurations with new object names and definitions
9. Validating changes in the configuration

If all firewalls are already managed by a single management console, e.g. Cisco CSM, object modifications in the management console can be reflected to all referring objects and rules across all managed firewalls. When many objects are being modified simultaneously, this can be very dangerous because there is no evaluation of the impact of change in firewall configurations on network security. Moreover, consolidation of redundant objects cannot be done through management consoles since management consoles do not perform searching and merging objects based on their IP addresses and port values.

One of our customers, a Fortune 500 company encountered many problems when they started their company-wide object standardization project. They were attempting to deploy Cisco CSM for managing a couple of hundred Cisco firewalls. However, CSM does not resolve conflict objects, but simply creates new objects with a suffix of 1, 2 etc. A huge manual effort could have been necessary to resolve and consolidate the object library that had more than 10k objects, had they blindly deployed CSM. Among the issues they encountered that would delay their project significantly were:

1. Cisco firewall CLI (prior ASA 8.3) does not support object rename or replacement. A new object has to be created. All referring rules and objects have to be manually found and replaced.
2. Cisco firewall CLI does not support object replacement in a rule. A new rule with the replacing object(s) has to be manually created and inserted to the proper position within the access list.
3. Cisco firewalls do not support splitting object. New object(s) has to be created. All referring rules or objects have to be manually found and replaced.
4. After the standardization process, no validation can be done except a simple text compare.
5. The manual standardization is very time consuming and error-prone. It took about one week to standardize one firewall with unguaranteed accuracy.

With the help of Athena FirePAC Object Standardization tool, the customer’s object standardization effort was reduced significantly for the following reasons:

1. The overall standardization workload was reduced very significantly.
2. FirePAC rule/object cleanup tool removed more than 30% redundant rules and unreferenced object.
3. A global object table was exported from FirePAC. Objects were grouped by firewall, object name, and object definition. All conflict objects were automatically identified and treated as separate objects.
4. A global object mapping table was defined and imported into FirePAC. All objects in the inventory were included in the mapping table.
5. Various object mapping types were handled by FirePAC, including rename, replace, modify and split.
6. Object mapping scripts were generated automatically by FirePAC with the consideration of rule sequence and object member hierarchy.
7. FirePAC rule/object compare and policy compare provided a solid validation to the new firewall configuration after the object standardization.

Overall, the object standardization took only half day per firewall with the guaranteed accuracy.  The Customer said “FirePAC has contributed greatly to the success of our object standardization project”.

The above screenshot shows the object mappings and mapping scripts (at the top of the screen) that are generated by FirePAC.

Check out more about FirePAC through these videos: Impact Analysis, Rule/Object Cleanup, and Object Standardization.

Tags: Athena FirePAC, object standardization, rule/object cleanup

This entry was posted on Thursday, July 15th, 2010 at 3:07 pm and is filed under Athena Insights. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.