1 / 95

Dissecting Object Filler and Object Dumper

Dissecting Object Filler and Object Dumper. Martín Hoz martinhoz@gmail.com. CPUG CON Europe - Switzerland September 8th, 2009. Who am I?. Martín Humberto Hoz Salvador E lectronics and Communications Engineer. UANL – México Interested on Internet Security since ~1993.

hectora
Download Presentation

Dissecting Object Filler and Object Dumper

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dissecting Object Filler and Object Dumper Martín Hoz martinhoz@gmail.com CPUG CONEurope - SwitzerlandSeptember 8th, 2009

  2. Who am I? • MartínHumberto Hoz Salvador • Electronics and Communications Engineer. • UANL – México • Interested on Internet Security since ~1993. • Been using Check Point products since 1998 (3.0b/4.0) . • CCSE 4.1 – CCSE NGX R60 • Check Point employee for ~6 years (2001-2007). • Wrote Object Filler / Object Dumper (2003-2006). • Native Language: Spanish.

  3. Whereis México?

  4. Someexpectations • Youalreadyknowthebasicson Internet Security • IP Addressing, routing • YoualreadyknowthebasicsonCheck Point • Creatingobjects and rules • Savingconfigurations • Youknow a bit of SPLAT / Windows / … • Yougetintothecommand line • You are ableto transfer files over FTP 

  5. Somecomments and warnings • My Check Point knowledgestopson NGX R65 • I have NOT testedthetoolson NGX R70 • I testediton NGX R65 and allworks, withexception of Connectraobjects • My motivationsfordoingthistalk: • Fullyexplainwhatthetools can do and cannot do beforethey die… • Explainwhy and howthetools are designed • Have a final chance toanswerquestions

  6. Agenda • Introduction • Motivationsondesigningthetool • ObjectFiller – objects, files and othervendors • ObjectDumper – dumping and recovering • Interestingoperations • Provider-1 – considerations • Conclusions – and thefuture…

  7. Object Management Basics • Objects and rules are created primarily trough SmartDashboard (GUI) • Good for day-to-day administration • Not too easy for massive loads, like new configs • Objects have different properties according to their type • Groups have members • Gateways have interfaces • Networks have netmasks • Hosts can be “servers” for DNS, Web or Mail • Rules have predefined properties, the same for every type of rule • Desktop Security, QoS, NAT and Security rules are different types of rules

  8. Where’s this stuff stored? • Most valuable configuration information is stored under $FWDIR/conf/ (or %FWDIR%\conf in MS Windows) • Objects are primarily placed under objects_5_0.C • Rules are stored under rulebases_5_0.C • Both are ASCII files

  9. However… • The files are in text, but using a special format • Which is *very* sensitive • Manual changes in these files can trigger severe problems • The general rule is: Don’t do it • Unless you really know what you are doing and you have CP Support backing you • Specially because there is a supported way to make changes…

  10. DBedit

  11. DBedit • SupportedCommand line tool that allows changes in the overall configuration • Therefore, allows changes in the objects_5_0.C and rulebases_5_0.C • Allows and extends what can be done from the SmartDashboard • Present in all NG and NGX versions • All the operating systems supported by Check Point SmartCenters • Known to have better behavior since NG FP3 • As all the CLIs, there’s a special syntax that has to be used. This is documented by Check Point • Nowadays, manuals and Knowledge Base entries have information on it • DBedit is scriptable • It can take commands from a file…

  12. DBedit invocation

  13. DBedit invocation • Preferably use it from the SmartCenter you’re going to operate. This is, use localhost • If you are using it form a different machine, then the IP address you’re using has to be declared as a valid GUI • Use the credentials of a regular R/W administrator • dbedit without options • dbedit with all options

  14. Doing a basic operation • Creating a basic host • Changing color and adding NAT…

  15. So, DBedit… • Is really powerful, but could be a bit complex • The syntax is as well very sensitive to spaces, colons, dots, etc. • If you want to write a script, you’ve to spend some time: • Learning the DBedit syntax (useful then and forever) • Writing a (Shell/Perl/etc.) script to generate the DBedit Script from a more easier syntax, such as a CSV or XML file • Or type/edit the DBedit script file by yourself • That sums up easily a couple of hours • Writing something you will use only once most of the times

  16. Other Scenarios: What if… • You’ve to do massive operations • You have to create 256 networks for 10.10.0.0/16 • 10.10.1.0/24, 10.10.2.0/24, 10.10.3.0/24, and so on… • You have a list with 400 hosts objects with employee names and IP addresses which you need to enter to SmartCenter • Add NAT to a group of objects that are already created

  17. Other Scenarios: What if… (2) • Or a bit more complicated: Migrating from Cisco PIX or NetScreen/Juniper to Check Point… • … and there’s a customer that has 300 objects plus 900 rules on it. • In all those cases, takes lots of time analyzing and/or typing

  18. Agenda • Introduction • Motivationsondesigningthetool • ObjectFiller – objects, files and othervendors • ObjectDumper – dumping and recovering • Interestingoperations • Provider-1 – considerations • Conclusions – and thefuture…

  19. Whatdrovethetoolcreation? • Threelargeconfigconversionsfrom PIX in a row… • Two times of setting up 200+ objectsfor a PoC • Once helping a friendtoadd NAT configtohisobjects

  20. Aboutofiller/odumperdesign • Thetoolhadtobeuseful and solvetheproblem: easethetask of populatingtheSmartCenter. • Thetoolhadtowork! (or I wouldbe in bigtroublewith my friends/customers) • I usedtheonlylanguage I knew and had a compilerfor… • Not Perl

  21. More notes (ortheadvantages of an “unsupportedtool”) • I wantedtoworkwith a “human-readable” format: ASCII Textseems fine to me • Readstext, writestext: You can modifyanythingyouneed • Yourchanges do notaffectyourconfigurationnecessarily • You can work offline • No latencies • You can takeworkto a plane • Youdon’tdependontheCheck Point software tobe “up and running” (especiallyusefuloncrashes) • Multiplatform and independant • As itis a standard C file, no dependenciestolibraries • You can runiton Windows, Solaris and GNU/Linux (thatincludes SPLAT)

  22. Someother notes • Thetoolwas NOT supposedtobesharedwithanybodybut my friends • Thetoolwas NOT thoughtonbeing extensible, upgradable, maintainableorscalable… • And so ObjectFillerwasborn. ObjectDumperjustcame a couple of yearslater • Whenpeoplebeganto use it, documentationbecame a priority. I estimate I spentalmost 50% of the time devotedtodocumentation…

  23. A recentsuccessstory • http://www.networksandsecurity.com/home/2009/08/24/recovering-from-a-dead-check-point-smartcenter/ • “Recovering from a dead Check Point SmartCenter” says it all

  24. Agenda • Introduction • Motivationsondesigningthetool • ObjectFiller – objects, files and othervendors • ObjectDumper – dumping and recovering • Interestingoperations • Provider-1 – considerations • Conclusions – and thefuture…

  25. What is Object Filler? • To begin with, it is a FREE but unsupportedand unofficial tool • Automates the DBedit script creation to feed SmartCenter’sdbedit • Works mainly with Network/Service Objects • It works as well with firewall (security) rules • Can take information from 3 different type of feeds • Command Line • Useful when creating consecutive objects: nets, hosts within a given range, etc. • Predefined file with objects information • CSV File (predefined format), Hosts File (UN*X, Windows), … • Configuration from a third-party vendor configuration file • Cisco PIX and Cisco Routers (ACLs), NetScreen, Gauntlet, SideWinder, Raptor

  26. ObjectFiller Spreadsheet / Text Editor Command Line Arguments CSV File objects Text PredefinedFile (CSV, etc.) Object Filler objects, rules DBedit commands objects, rules Third-partyconfigfile Check Point SmartCenter DBEditFile

  27. SupportedbyObjectFiller / Dumper • Network Objects • Services • Firewall rules • Carefulwithresources and authentication! • Itdoes NOT Support usersorgroups • Theyhave a differentdatabase Reference: Pages 25-27 ontheUser’s Manual containtablesforallsupportedobjects

  28. ObjectsSupported

  29. Resources, Services and Operationssupported

  30. Creating objects from Command Line • ofiller -t net -s 192.168.0.0 -d 192.168.255.0 -m 24 -c green -onetworks.txt • For producing a CSV file, try: ofiller -t net -s 192.168.0.0 -d 192.168.255.0 -m 24 -c green -a networks.csv

  31. The resulting (-o) text file contents

  32. Importing the results into SmartCenter • Pass the file to the SmartCenter • Use FTP (ASCII file type), copy-paste, etc. • Use DBedit with the file as the input file • Make sure no GUI is running with R/W permissions

  33. The results in the database after before • The objects are now created in the Objects Database • In less than 5 minutes • You should be able to see them within the SmartDashboard • You may create a new Database Revision Control entry before and/or after the objects creation, as a “backup”

  34. Anotherexample: • Thetask “Usingtheaddressspace 10.10.0.0/16, createallthenetworksthat can have a 22 bit netmask (255.255.252.0) and HideNAT’embehindthe IP addresses 172.16.10.10-15” • Thecommand line: ofiller -t net -s 10.10.0.0 -d 10.10.255.255 -m 22 -c blue -ns 172.16.10.10 -nd 172.16.10.15 -nm 24 -a with_nats.csv

  35. Theresult: CSV

  36. Theresult: DBEdit

  37. Theresult: SmartDashboard

  38. Other sources for importing objects • Comma Separated Values (CSV) files • Created usually with an spreadsheet (MS Excel is an option), with values fixed according to the column • The most powerful way to import objects • Represents object and Firewall rules • That’s the format Object Dumperuses • Uses the program with Options –f and –ilist • Format is documented on the Manual • Section 11.2 Comma Separated Values (CSV) file type • Pages 35-45

  39. Sample CSV File for objects

  40. Sample CSV File for groups

  41. Sample CSV File for services

  42. Sample CSV File for firewall rules

  43. Somespecialtips • When copying multiple objects, disable verifications: • “-nopv” will disable internal verifications, allowing you to copy duplicates • When handling policies • You must use the “-p” switch on object filler to specify a policy name. • Otherwise, rules WILL NOT be processed, even if they are on the CSV file • Policy Name should NOT exist, or it will overwrite it! • You may need to create a “Policy Package” with the same name • Make sure you use “-nopv” to avoid issues, if some of the objects were not processed on “this run”.

  44. Other source files supported • Lists Files (a “less-complex” CSV) • Files contain just IP addresses and netmasks • Object Filler creates the names and the type of object according to the IP address and netmask. • Uses the program with Options –f and –ilist

  45. Other source files supported • Hosts • A regular Hosts file. The ones found at /etc/hosts in UN*X or %SYSTEMROOT%\system32\drivers\etc in Windows • Uses the program with Options –f and –ihosts

  46. Importing from Other Brands • Object Filler supports importing Network Objects from configurations of other brands • Object Filler parses the configuration file, and when detects some valid IP address and netmask, builds an object according to such data. • Rules support is here as well • Importing ACL Rules from Cisco PIX and Cisco Routers

  47. Importing from Other Brands • As of Object Filler 2.4 it is “supported” • Cisco PIX and Cisco Routers • Network Objects, Groups, NAT, Services and Rules • NetScreen/Juniper • Network Objects, Static NAT • Gauntlet • Network Objects • SideWinder • Network Objects, Groups, Services • Raptor • Network Objects

  48. Converting from Cisco PIX to Check Point Example

  49. Source PIX configuration (part of it)

  50. Translating just Network Objects (Preview mode – using –a to get a CSV file)

More Related