Firewall Management Using DSC/CHEF

Tagged: 

This topic contains 6 replies, has 3 voices, and was last updated by Profile photo of Sean Feeney Sean Feeney 2 years, 1 month ago.

  • Author
    Posts
  • #20269
    Profile photo of Sean Feeney
    Sean Feeney
    Participant

    I'm curious to hear others idea on the following scenario:

    – I have 9 different OUs with different firewall rules on each, managed by GPO (a pain trust me).
    – Starting in roughly 2 weeks all of these machines will be 2012R2 (most are already).

    I would like to shift from Group Policy to DSC/ and our existing Chef infrastructure to manage all these instead. My first step would be compiling all the firewall rules and creating our base set of rules (ones that exist in each OU). The second step is going to be creating the unique rules per each ou. And the final would be deploying.

    My questions are:

    – Does anyone have a better idea on correlating the existing rules besides going manually through them and finding the common ones?
    – With the current xNetworking set it seems that I can add new rules; how can I go about ensuring only my "DSC firewall rules" exist in the windows firewall ruleset? (My thought here is worse case scenario at the beginning of the chef script I'll just go through and wipe all the rules and reapply – although this will create some momentary security issues. )
    – As far as I can tell I can only ensure that rules are present – is there a way to ensure that the state of the "Domain" (for instance) is enabled?

  • #20352
    Profile photo of Don Jones
    Don Jones
    Keymaster

    [blockquote]– Does anyone have a better idea on correlating the existing rules besides going manually through them and finding the common ones?[/blockquote]
    Nope. Nobody's made any tools to do so, yet.

    [blockquote]– With the current xNetworking set it seems that I can add new rules; how can I go about ensuring only my "DSC firewall rules" exist in the windows firewall ruleset? (My thought here is worse case scenario at the beginning of the chef script I'll just go through and wipe all the rules and reapply – although this will create some momentary security issues.) [/blockquote]

    Not exactly. xNetworking doesn't "add new rules;" it makes sure specified rules exist. That said, you'll probably have to experiment a bit to make sure it does what you need.

    [blockquote]– As far as I can tell I can only ensure that rules are present – is there a way to ensure that the state of the "Domain" [for instance] is enabled?[/blockquote]

    It doesn't look like Microsoft's resource does that. You might look at the cNetworking resource in our DSC Hub GitHub repo, though. The community's been very active in expanding on Microsoft's work.

  • #20353
    Profile photo of Sean Feeney
    Sean Feeney
    Participant

    Don,

    Thanks. I actually found some ways around this and was going to post back.

    First I took machines from each OU and using

     invoke-command computername {get-netfirewallrule -policystore Active | select DisplayName | sort DisplayName } | out-gridview 

    dumped those results for machines in each tier to excel.

    Using those results created a pivot table to find the rules that exist across all tiers. (Side Note: pivot tables got easy in excel 2013)

    Then using Carbon DSC (https://powershell.org/forums/topic/carbon-2-0-alpha-26-released/) – re-wrote my rules in powershell.

    My remaining step is figure out how to integrate this with our Chef environment (using a ps1 or dsc_script) – but I don't think that will be all that hard.

    I will make sure to take a look at cNetworking though.

  • #20404
    Profile photo of David Jones
    David Jones
    Participant

    Configuration management should be idempotent. deleting all the rules would actual block all traffic for the duration of applying the configuration.

  • #20406
    Profile photo of Sean Feeney
    Sean Feeney
    Participant

    Agreed – I've decided to pivot on that because I realized that after the fact. We're setting up baseling monitoring in SCCM so should the ruleset change we can go in and take a look. The rules I'm writing now will simply add them if they do not exist – no removal.

  • #20409
    Profile photo of David Jones
    David Jones
    Participant

    Just took a look at Carbon.

    their DSC script and INI resources are going to be a godsend for me. We need a list of all DSC resources that are out there to avoid re-inventing the wheel.

    I cant wait for WMF 5 and PowerShellGet (assuming they support Win7/2008r2, I cant get rid of them fast enough)

  • #20412
    Profile photo of Sean Feeney
    Sean Feeney
    Participant

    Definitely. Thanks to chef being out there I can use the DSC file resource to pull the necessary ones to my machines using SMB.

You must be logged in to reply to this topic.