In this series of posts, we examine some of the challenges involved in migrating firewall configurations between different firewall platforms and discuss some strategies for approaching these issues. The previous post introduced the basic firewall configuration elements that have to be migrated and discussed some of the issues in converting routing table entries, and network and service objects. In this post, we investigate converting security rules.
Converting Security Rules
The basic elements of a security rule (sometimes called ACLs or filtering rules) are defined similarly in all firewall platforms. Each rule specifies a set of source addresses, a set of destination addresses, and a set of services that are matched against an incoming network data packet, and an action to take: typically to allow or deny the matching packets.
The syntax of these rules is quite different across different firewall platforms as are the mechanisms for grouping rules to provide higher-level abstractions and partitioning rules for better management of rule bases.
Some firewall platforms, such as Cisco security appliances, allow only a single network or service object value for source, destination, and service elements. The Cisco Security Manager (CSM) management console allows you to specify multiple values per element in a rule, but when the configuration is installed on a target firewall, the rules are expanded to have only one value per element. Other firewalls, like Check Point and Juniper Netscreen, allow multiple values per element to allow for an aggregated and smaller rule base.
In Check Point firewalls, all rules are grouped into a single, flat rule base. This entire rule base is evaluated for each packet entering the firewall, regardless of entering or exiting interface. Thus it is not possible to organize the rules to take advantage of the network structure based on the set of network address ranges reachable from each interface. In Cisco firewalls, security rules are organized into access groups that are assigned to one or more interfaces to be evaluated for packets either entering or exiting through that interface. In Juniper Netscreen firewalls, interfaces that have networks behind them with similar security posture can be grouped into security zones. Rules are defined by packets entering and exiting through the source and destination zone.
These different ways of organizing and grouping rules pose the biggest challenge in converting the security rules from one platform to another. It is necessary to understand which networks are reachable from each interface or security zone and then partition the rules accordingly. This can get interesting when converting rules using zone-spanning objects on a firewall with a flat architecture to an architecture that requires the rules to be partitioned by interface or zone.
Because of these different approaches to grouping of rules, the impact of using “Any” values in source and destination elements is varies across different firewall platforms. When “Any” is used as Source or destination in a Check Point configuration, it means any address that is reachable from any interface. However when “Any” is used as a source in a filtering rule on a Cisco firewall, it means only the networks that are reachable from the interface(s) that the rules are applied to. Similarly in a Netscreen firewall, when “Any” is used as a source or destination value in a filtering rule, it really means only the networks that are reachable from the interfaces belonging to the source or destination security zones.
Zone-spanning objects pose a similar issue. In a Cisco or Juniper firewall, only the addresses reachable from the relevant interface or security zone are allowed or denied by the filtering rules, even if a zone spanning object is used. When converting such rules to a flat rule base, as in Check Point, the zone spanning object will have to be divided so as to specify only the reachable networks for the correct interface.
In general, when converting rules from a firewall platform where rules have higher level of grouping to a platform with lesser level of grouping or no grouping, “Any” values or zone spanning objects need to be resolved with networks that are actually reachable from interface(s) in the target firewall. When converting rules from a firewall platform with flat or lower level of grouping to a higher level of grouping, source networks and destination addresses in each rule have to be analyzed to find the proper interface or security zone through which the networks are actually reachable and place them in the proper ruleset.
In the next blog post, we will examine some of the issues involved in migrating network address translation (NAT) rules.