About Me

My photo
Mumbai, India
I run an IT Security consulting firm based out of India. We started off from scratch in 2001 when I was 21, and have offices in Mumbai, Bahrain, and UAE. The idea behind the blog is to share the stories of how we run the business, the deals we make, the deals that break, the heartburn, and the sheer joy.

The Ultimate Startup Guide

The Ultimate Startup Guide is an e-book that provides answers to all your questions related to starting and growing a business in India. Everything you wanted to know about entrepreneurship in India from ideation to registration to marketing to hiring. The book contains a large number of practical examples, anecdotes, interviews, and motivational material to help you get started, and to grow rapidly in a booming Indian economy. If you've got the idea, this book will help you through with the execution and realize your dreams. Here are some of the key questions you will find answered in this book:
  • When starting a business, what are the legal issues involved?
  • What form of incorporation is better suited to which type of business?
  • What tax issues are involved?
  • How do I start a business and what are the pitfalls?
  • How do I market my business in the absence of significant funding?
  • How do I get funded?
  • What are the basic accounting concepts I should be aware of?
  • What is a business plan and how should I build one?
The brief table of contents of the book is as follows:
  1. Getting started
  2. Ideation
  3. Forms of Enterprises
  4. Funding
  5. Basic Accounting and Taxation
  6. Import and Export Licensing
  7. Trademark and Patenting
  8. Rules for NRIs and Foreigners
  9. Building a Business Plan
  10. Marketing on a Shoestring
  11. Website and Branding
  12. Women Entrepreneurs
  13. Templates
To order the Ultimate Startup Guide - email me at kkmookhey@gmail.com.

Details of the book are:
Title: The Ultimate Startup Guide
Author: Kanwal Mookhey
Pages: 150
Additional: Companion CD contains numerous templates for building your business plan, calculating cashflow, preparing profit and loss, and balance sheets, preparing invoices, your resume and profile, marketing material, websites, contracts, and many other useful and motivational material.

Friday, June 23, 2006

Firewall rulebase analysis

Since the core focus of my firm is on information security, and nothing seems to inspire an entrepreneurship-related post, today's Chautauqua shall be on firewalls and bloated rulesets.

In most small-medium enterprises, the maximum number of firewalls I've seen is about 4-5, usually always less than a dozen. But as the size of the organization grows, not only does the number of firewalls increase, but the complexity of the ruleset within the firewall also increases. Sometimes exponentially. This is aided by weak change management processes, where users simply request the change, their department manager approves it, and the security team implements it. As time progresses, the ruleset becomes bloated and reduces the performance of the firewall, since the firewall needs to process the rules in sequence for each packet that arrives until a match is found.

One of our clients has more than a 100 firewalls from three different vendors, and the ruleset varies from a manageable 500 rules to an insane 80,000 rules in one of the Cisco PIX firewalls! There are various reasons that have contributed to this situation:

  1. The weak change management process referred to earlier
  2. Security administrators not checking if a rule to process the same type of traffic has already been added
  3. They do not check if the new request can simply be grouped with an earlier request
  4. If the request is of a temporary nature, they do not check periodically to remove temporary rules.
When we were called in to hack our way through this, we realised manual analysis was impossible, so we built a tool to do this. We also realised that we needed to attack the problem from as many sides as possible:
  1. Analyze the logs to determine which rules were actually being used by the traffic flowing through the firewall
  2. Analyze the configuration to determine redundant rules or groupable rules
  3. Analyze the rule creation process and inhibit rule creation at that stage as well
The tool that we've made for this purpose does the following:
  1. Takes as input the filename containing the firewall configuration, and reads this into a database table.
  2. Analyzes the firewall logs over a given period of time to determine rules, which are being used, and marks the others for deletion
  3. Analyzes rules, which are redundant. I.e., there is some other rule of which this rule is a subset. Thus this rule can be dropped.
  4. Analyzes rules, which can be grouped. If the source and the destination IP addresses are the same, then the ports/services for two rules can be grouped together to create one single rule
  5. Analyze the other components of the configuration, which are not being used and remove those as well.
It works for the following firewall configurations
Initial runs of the tool are resulting in a reduction ranging from 40-60% of the ruleset. Here's a snapshot of the rudimentary GUI we've built. It shows the output for a Cisco PIX firewall, which has been analyzed and a new configuration can be created with the commands listed:

For the first two firewalls it produces the output in the actual configuration commands to change the configuration. You could simply copy-paste the output onto the command-line interface (CLI) of the firewall. For Cyberguard, it simply shows the rules and the rule numbers, and these need to be manually dropped from the GUI configuration.

Some further references on the same subject:
Firewall Policy Advisor for anomaly discovery
Taxonomy of conflicts in firewall policies
An expert system for analyzing firewall policies

Other products that might be doing the same thing are Algosec and Firemon.

Incidentally, this project has enabled me to gain a much deeper insight into the various firewalls. And I must say Netscreen firewalls are amazingly good, and Cisco PIX has way too many shortcomings. The Cyberguards fall somewhere in between. Checkpoint hasn't been included in the list, but we might include that in the tool's capabilities as well.

3 comments:

Neeraj | www.bharari.net said...

What do you think about ZoneAlarm Pro firewall?

Kanwal K Mookhey said...

Well, the current post was on enterprise firewalls, and ZoneAlarm is a personal firewall - a very good one too! I'd suggest you give BlackIce a shot as well. It's got pretty cool IDS capabilities besides the firewalling. Also, check out Microsoft's OneCare security service.

Juma said...

A very interesting article - where can I find more information about the tool?
Thanks