[AusNOG] NS-5GT and SSG140 Project
Eric Pinkerton
Eric.Pinkerton at stratsec.net
Wed Nov 14 09:08:29 EST 2012
HI Skeeve,
There was a juniper utility to do this, but IIRC it never really worked, Juniper do claim to help with this though.. http://www.juniper.net/us/en/local/pdf/datasheets/1000380-en.pdf.
I would caution against any straight migration, as you will loose a really good opportunity to get a better handle on the rulesets in place, as opposed to the rules that should be in place.
In almost every firewall ruleset you examine you will find heaps of problems such as overly liberal use of the word Any, rules with far too many destinations, rules that are hidden by other rules, unintended outcomes, poor logging configuration, poor comments and quick and dirty temporary fixes that have been in place for years, so if you just move them over, you will have even less chance of fixing them, and an increased risk of further unintended consequences.
I would strongly recommend you factor in a config review for this migration. Tools like Nipper can help you pick off the low hanging fruit, and perhaps consider tools like Algosec if the complexity of the rule sets warrant (ie thousands of rules).
Also, as a side note if you are moving them from ScreenOS to JunOS, show them the 'show | display set' command. It's a lifesaver whilst you are getting your head around the whole contextual thing!
Eric
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Skeeve Stevens
Sent: Wednesday, 14 November 2012 12:09 AM
To: <ausnog at lists.ausnog.net>
Subject: [AusNOG] NS-5GT and SSG140 Project
Hey,
We're Juniper people, but not Netscreen (ScreenOS) people. Looking for someone to assist a client with some configuration analysis and conversion.
Project is in Sydney
Please contact me off-list.
--
Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20121114/0520325d/attachment.html>
More information about the AusNOG
mailing list