The Firewall Rule Checker is an automated Python-based script designed to execute multiple steps for validating and modifying firewall configurations. The script facilitates the execution of various Python modules in sequence, including tasks such as checking firewall rules, replacing address objects, and performing firewall analysis. This tool is ideal for network security professionals who need to streamline firewall rule checking and configuration modification processes. The Firewall Rule Checker automates the process of analyzing firewall configurations to ensure compliance and highlight potential security risks. Below is a description of the rules checked by the script:
The framework classifies firewall rules into ten distinct categories to facilitate structured validation.
- Identifies unrestricted communication between any source and any destination.
- Flags potential security risks due to lack of restrictions.
- Ensures proper segmentation and access control.
- Validates specific source IPs/subnets communicating with any destination.
- Ensures comprehensive source IP validation.
- Covers both general and specific service configurations.
- Verifies communication between specific source and destination IPs.
- Ensures granular service-level access control.
- Checks independent service rule configurations.
- Analyzes rules where source access is unrestricted.
- Identifies potential security vulnerabilities.
- Assesses destination-specific service access.
- Flags unauthorized access to the Cardholder Data Environment (CDE).
- Prevents unauthorized data exposure and potential breaches.
- Restricts access across network zones.
- Identifies risky outbound access from CDE to out-of-scope sources.
- Enforces strict data protection policies.
- Analyzes inbound/outbound CDE traffic for security gaps.
- Monitors communication between the CDE and external networks.
- Ensures compliance with strict data protection protocols.
- Validates both inbound and outbound access control measures.
- Validates communication between external and internal networks.
- Ensures robust network segmentation.
- Assesses perimeter security controls.
- Examines private network traffic directed towards public networks.
- Mitigates data leakage risks.
- Controls outbound traffic to prevent unauthorized transmissions.
- Identifies rules with unrestricted access configurations.
- Recommends security enhancements to tighten access controls.
- Evaluates rule permissiveness to reduce exposure risks.
The framework ensures adherence to PCI DSS firewall and router security requirements, including:
Requirement 1.1.7: Documentation of all connections to the cardholder data environment.
Requirement 1.2: Restrict inbound and outbound traffic to only what is necessary.
Requirement 1.3: Prohibit direct public access between external networks and CDE.
Requirement 1.4: Install personal firewall software on devices with direct Internet access.
Before running the Firewall Rule Checker script, ensure you have the following installed:
- Python 3.x: Ensure you have Python 3.6 or higher installed.
- Required Python Libraries: The script depends on some Python libraries. To install them, run:
pip install pandas pip install openpyxl pip install xlsxwriter pip install prettytable pip install colorama
To run script:
-
step_1: "Select the firewall configuration file and generate a report using the Nipper tool"
-
step_2: "Save Firewall generated report in HTML and Table to CSV Format"
-
step_3: "After choosing Table to CSV option so many options will come like below given screenshot, Choose only All Network Filtering Tables"
- step_4: "Install all PreRequirements and Execute the script:"
command: "python FW-Review-Starter.py"
-
Step-by-Step Guidance
The script will guide you through various steps, asking for your confirmation to proceed by typing 'y' (yes) or 'n' (no) at each stage. -
Processing Input Files and Configurations
You will provide input files and configurations that will be processed by the script. -
Output Files Generated
Based on your inputs, the script will generate the following.xlsxoutput files:output_cde-oos-findings.xlsxoutput_Source-Any--Destination-Any--Services-Any.xlsxoutput_Source-Any--Destination-Specific--Services-Any-Specific.xlsxoutput_Source-Specific--Destination-Any--Services-Any-Specific.xlsxoutput_Source-Specific--Destination-Specific--Services-Any.xlsxoutput_external_internal.xlsx
| Script Name | Description |
|---|---|
| startup.py | Initializes firewall configuration and generates required text files (cde.txt, oos.txt, etc.). |
| format-changer.py | Converts firewall CSV files into Excel format for better readability and processing. |
| all-in-one.maker-groups.py | Merges multiple firewall address groups into a single group for streamlined management. |
| replace.py | Finds and replaces group names in the firewall configuration to ensure consistency. |
| replace-ao.py | Updates address objects in the modified firewall configuration file. |
| Source and Destination Rules Check | Verifies firewall rules, including Source-Any, Destination-Any, and other predefined categories. |
| cde-oos-subnet-extractor.py | Converts subnet ranges into individual IP addresses for validation. |
| CDE-OOS-Checker | Validates compliance of CDE and OOS rules from an Excel file. |
| external-to-internal.py | Analyzes public-to-private firewall rules and generates security reports. |
Each script executes in sequence, with prompts ensuring proper execution flow.
- name: Vishal Patil
- email: [email protected]