Friday, February 25, 2011

Sometimes you just have to ask...

I was recently exchanging emails with a customer who had just purchased a V4.1 Firewall Builder license. He didn't like the behavior where the GUI showed the interface name in the object tree and showed the interface label in the Policy rule.

He asked if we could fix this, and so we changed the behavior for our upcoming V4.2 release. Now the GUI shows both the interface name and label in the object tree. This makes it easier to quickly scan the object tree and know what interfaces you want to use in a rule.

OLD OBJECT TREE VIEW





NEW OBJECT TREE VIEW





The moral of the story is, if there is something that you would like to see us add or change in Firewall Builder just let us know. If it's easy you might be surprised how quickly it could appear in a new version.

Thursday, February 24, 2011

More V4.2 Features Ready for Beta Testing

We are making great progress on our next release which will be Firewall Builder V4.2. This release is mainly focused on enhancing our support for Cisco ASA, Cisco PIX and BSD pf platforms. Here's a quick overview of the features that are available in the latest beta release of V4.2.

* Support for defining interfaces in NAT rules
* Ability to configure bridge interfaces and static routes on BSD systems
* Option to generate FreeBSD platform configurations in rc.conf style format
* Support for Cisco ASA and PIX v8.0 - v8.3 platforms
* Use of named objects in Cisco ASA and PIX rules where possible

You can download a copy of the latest Firewall Builder beta version from our website:

http://www.fwbuilder.org/nightly_builds/fwbuilder-4.2/current_build/

And you can find notes about how to configure and use these new features on our website:

V4.2 Beta Notes

The last big feature we will be adding to V4.2 is support for importing Cisco ASA and PIX configurations. This will make it much easier for Cisco users to get started with Firewall Builder. Let us know what you think and thanks for helping us make Firewall Builder better!

Wednesday, February 16, 2011

Some thoughts from the RSA Conference

I was at the RSA conference (http://bit.ly/exsTwN) yesterday. After I finished up my meetings I wandered around the exhibition hall. There are over 330 companies with booths at the show which got me thinking about just how many products and companies there are in the security space.

With all these companies pushing what are sometimes very similar products, it can be hard to understand the differences between them. For instance I was talking with several UTM appliance providers and the list of features each of them were highlighting were almost identical across the board.

So what does this mean for Firewall Builder? Well, first of all it reminded me that there are a lot of products competing for our users attention, so it is critical that we do a good job making it clear both what Firewall Builder does as well as what it doesn't do. But, probably more importantly, it reinforced to me how important it is to stay focused on the problem that we are trying to solve.

Our mission is to make firewall management easier and more consistent across a wide range of firewall platforms. We want to do this in a way that scales both in terms of the number of firewalls that users can manage and also in terms of the number of users that need to manage those firewalls. I'm really excited about 2011 and the progress we are going to make towards these goals!

As always we want to hear from you. Do you think Firewall Builder's core mission is clear? What do you want to see in Firewall Builder in 2011?

Tuesday, February 1, 2011

Are your firewalls ready for IPv6?

I have to admit, over the last few years I have become a bit immune to all the declarations that this year was finally going to be the year that the Internet ran out of IPv4 addresses. While I still think this issue is getting sensationalized by the media, http://bit.ly/eLV7ci, the reality is that 2011 will likely mark the first year where enterprises really have to start planning for how they are going to support IPv6.

Even though it may be a little while before your enterprise is running a dual stack network with both native IPv4 and native IPv6 it’s probably time to start planning for when that day arrives. One notable change driven by IPv6 will be how network and security administrators think about firewall functions and network boundaries.

For example, one of the goals of IPv6 is to have a large enough IP address space that Network Address Translation (NAT) is no longer necessary. However many security administrators view NAT as providing useful hiding of their internal IP address schemes. I predict there will be a lot of interesting discussions about how best to secure IPv6 networks as it gets more widespread and mainstream adoption.

So, why am I posting about IPv6 you ask? One of the features of Firewall Builder is that it has built-in support for creating IPv6 objects and using those objects in your rules. This helps reduce the pain of deploying and supporting IPv6 firewalls. As noted IPv6 network architect pointed out to me, using a tool like Firewall Builder where objects are used in rules instead of straight IP addresses becomes even more critical with IPv6. How many times do you have to type 2001:0db8:85a3:::8a2e:0370:7334 before you make a typo??

Right now Firewall Builder supports IPv6 rules generation for Linux ip6tables, BSD pf, Cisco router access lists and ipfw, however I expect that as we see more of our users adopting IPv6 that we will add support for other platforms like Cisco ASA and PIX firewalls in the future.

Are you already using IPv6 or starting to plan for it? Let us know in the comments how you see IPv6 affecting your firewall management plans.