11 October 2011

New Edition of Firewall Builder 5!

Firewall Builder 5 is here:

NetCitadel recently announced the release of Firewall Builder 5 which includes some minor changes in the GUI. I blogged before about firewall Builder 4.1.0. You can find the details of that blog here:

What is Firewall Builder?
Firewall Builder is a program that simplifies the management of firewall rules for a wide range of operating systems and hardware firewall devices. Normally you have to define the rulesets by hand. Looking for some assistance during the definition of rulesets like Webend Server rules, etc. Firewall Builder can help you out.
Supported Firewalls
Firewall Builder supports GUI based firewall policy configuration and management on the following firewalls:
  • Linux iptables
    • 2.4 & 2.6 kernels
    • Most commonly used modules supported
    • Support for embedded distros including DD-WRT, OpenWrt and Sveasoft
  • Cisco router access control lists (ACL)
    • IOS versions 12.1 through 12.4 (other versions unofficially supported)
  • Cisco ASA/PIX
    • PIXOS 6.1, 6.2, 6.3, 7.0, 8.0, 8.2, 8.3
  • Cisco Firewall Service Module (FWSM)
    • FWSM 2.3, 3.2 and 4.x
  • OpenBSD pf
    • All versions, with version specific syntax for 3.x, 3.7 - 3.9, 4.0 - 4.2, 4.3, 4.5, 4.6, 4.7 and later
  • FreeBSD ipfw and ipfilter
    • All versions
  • HP ProCurve ACL
    • K.13
Looking for a platform that isn't currently supported? Email NetCitadel at info@netcitadel.com.

FWB helps you to configure multiple firewalls in a consistent way

Broadly speaking, FWB is both an graphical interface (GUI) and a set of compilers. You define your rules in the GUI, and a compiler generates scripts from them for the chosen platform. In fact, the same set of rules may be used to generate scripts for iptables, ipfilter, or (e.g.) Cisco devices.
FWB provides an handy library of objects for commonly used entities in firewall rules (e.g.: private address ranges, well-known IP and networks addresses, as well as protocols). These standard objects may be extended by the user with new objects, or by grouping together existing objects in new ones. Firewalls are also objects, so you can manage many firewalls in the same interface, and share objects between them. This, as we’ll see, is an unexpectedly powerful feature.
FWB saves all these entities (objects and firewalls) in an XML file using the “.fwb” extension. Corruptions in fwb files may be corrected using a simple text editor such as gedit (eh, yes, that happened to me a few times…).
For a article with a scenario describing how to configure with Firewall Builder see this link:

You find information for a Xen ruleset scenario in the article. 
Do you really need Firewall Builder:
Creating similar rulesets by hand is not too
 difficult, but there is a hidden pitfall: 
You’ll need some templating system in place to generate consistent rulesets for your firewalls. Or you can use Firewall Builder.
Object Model
Instead of having to type firewall commands, Firewall Builder allows you to create firewall rules with user-defined objects. After an object is created, for example an IP address to represent an E-mail server, that object can be used in rules on all your firewalls. And the search function makes it easy to find everywhere an object is being used.
A special type of object, the group object, lets you define a group of objects and use that group object in a rule. Groups can contain many types of child objects. For example, a group could include a mix of networks, hosts, and address ranges. When Firewall Builder generates rules for a firewall platform, like Linux iptables, that doesn’t natively support group elements in its command syntax, Firewall Builder automatically creates individual rules to match all the child objects in the group.

Example of Group Object with Network, Host and Address Range Members

Rules Validation
Using powerful inspection logic Firewall Builder analyzes configured firewall rules to identify:
  • Rules not supported by a particular firewall platform
  • Invalid rules that might be the result of user error, such as NAT'ing UDP into TCP
  • Rule shadowing, which are rules that will never be matched due to an earlier rule matching the traffic first
Shadowed Rule Example

Firewall Builder Error when Shadowed Rule is Detected

Automatic Configuration Generator
The built-in rules compiler generates platform specific firewall commands. The compiler understands the differences between types of firewalls and software versions, ensuring it generates the right commands for each type of firewall platform.
You can compile individual rules in the GUI at any time to see the specific commands that will be generated for that rule. This gives you instant visibility of the specific commands that would be deployed to the firewall.

Example of On-Demand Rule Compilation

Integrated Installer
Firewall Builder uses SSH and SCP to securely deploy your rules to the firewall. To help avoid situations where a firewall change accidentally blocks access to the device, Firewall Builder includes functions to automatically revert a firewall configuration to the previous version.
Advanced Feature Configuration Support
Firewall Builder also supports configuration of many advanced features. For example:
  • Cluster support for Cisco ASA/PIX, Linux iptables and OpenBSD pf firewalls
  • Dynamic live rule updates on Linux iptables (via ipset module) and OpenBSD pf
  • Run time options to have rule objects, like interfaces, determined on firewall startup
  • Predefined templates, including firewall rules, for common deployment scenarios
  • Device configuration of interface IP addresses, static routes, VLAN and bridge interfaces
  • Configuration versioning control using RCS
  • User defined pre and post firewall startup scripts

How it Works
Firewall Builder makes configuring and managing firewalls much easier. The process follows five basic steps:
  • Create Firewall. Define your firewall settings including platform type, software version and interfaces.
  • Define Objects. Create objects for network elements for use in firewall rules.
  • Configure Policy. Use the defined objects to specify the rules for this firewall.
  • Compile Rules. Convert rules into a configuration file for the firewall.
  • Deploy Configuration. Install the configuration file on the firewall.

A Quick start guide can be found here:

You can use Firewall Builder also for more complex server configurations like failover clusters:


0 reacties:

Post a Comment