Security | 2 min read
The Any/Any No-No: A Security Dilemma Solved
So, you just bought a Firewall cluster for the price of a compact car, you upgraded the firmware, applied the initial config and set-up an any to any rule. So far so good, but now what?
If you are lucky and this project is a life-cycle you can take over the existing rule set but if this is a green field approach and you have little or no guidance to go by, then you are doomed.
As a system integrator, we come by this scenario more often than we like. If a customer is unable to specify the requirements for a Firewall project, we must revert to plan B. A small ingenious device, an Intel-based NUC (running Linux) that hosts a syslog server, with a piece of proprietary software called FlowUI; it has one purpose, to collect, log and store all sessions flowing through the Firewall:
To verify correct operation, an overview of the logged sessions can be easily viewed in a dashboard (Grafana):
This NUC stays connected to the Firewall and records all traffic for a defined period, usually a month, after which the NUC along with the data is returned to us where it is validated and imported into a database. Through the web based UI, the flows can then be analysed – for example by its source and destinations:
or by its destination port (e.g. “Application” – either pre-configured or custom):
or also a combination of both – for example to see all https connections:
In collaboration with the customer we can map these flows to (custom) “applications” and subnets which are stored as address-book entries:
Finally, the gathered and entered information is processed and analysed by our Software. The result is a set of config statements for applications, address-books and security policies which can be applied easily to Juniper SRX Firewalls. Problem solved.