Security | 2 min read

The Any/Any No-No: A Security Dilemma Solved

Colman Finnin
June 2019
written by Colman Finnin

So, you just bought a Firewall cluster for the price of a compact car, you upgraded the firmware, applied the initial config and set-up an any to any rule. So far so good, but now what?

If you are lucky and this project is a life-cycle you can take over the existing rule set but if this is a green field approach and you have little or no guidance to go by, then you are doomed.

As a system integrator, we come by this scenario more often than we like. If a customer is unable to specify the requirements for a Firewall project, we must revert to plan B. A small ingenious device, an Intel-based NUC (running Linux) that hosts a syslog server, with a piece of proprietary software called FlowUI; it has one purpose, to collect, log and store all sessions flowing through the Firewall:

To verify correct operation, an overview of the logged sessions can be easily viewed in a dashboard (Grafana):

This NUC stays connected to the Firewall and records all traffic for a defined period, usually a month, after which the NUC along with the data is returned to us where it is validated and imported into a database. Through the web based UI, the flows can then be analysed – for example by its source and destinations:

or by its destination port (e.g. “Application” – either pre-configured or custom):

or also a combination of both – for example to see all https connections:

In collaboration with the customer we can map these flows to (custom) “applications” and subnets which are stored as address-book entries:

Finally, the gathered and entered information is processed and analysed by our Software. The result is a set of config statements for applications, address-books and security policies which can be applied easily to Juniper SRX Firewalls. Problem solved.

15+
Colman Finnin
June 2019
written by Colman Finnin

Like this article? | Share it with a colleague