https://a996c8ee.aww-3cz.pages.dev/tags/object-group/ Recent content in Object-Group on Aaron's Worthless Words Hugo en Mon, 05 Apr 2010 00:00:00 +0000 https://a996c8ee.aww-3cz.pages.dev/posts/2010/04/more-asa-objects-and-object-groups/ Mon, 05 Apr 2010 00:00:00 +0000 https://a996c8ee.aww-3cz.pages.dev/posts/2010/04/more-asa-objects-and-object-groups/ <p>A few years ago, I developed a Perl-based application that take a template file and pukes out standardized access rules for new hosts as they&rsquo;re added to the network.  This works great for making sure that each host is able to be managed properly.  This solution, however, is not very flexible.  If I need to remove a host&rsquo;s access, I may have to take out 20 rules individually.  That&rsquo;s not really cool, so, at the suggestion of a coworker, I&rsquo;m working on a solution that uses objects, object-groups, and nested object-groups.  This should minimize the configured rules and allow new host rules to be added and removed by simply adding hosts to object-groups.</p> https://a996c8ee.aww-3cz.pages.dev/posts/2009/10/using-spf-records-to-build-objects/ Fri, 16 Oct 2009 00:00:00 +0000 https://a996c8ee.aww-3cz.pages.dev/posts/2009/10/using-spf-records-to-build-objects/ <p>My biggest complain about modern firewalls is their lack of the ability to create rules based on URLs or HTTP streams; you have to open access between IP addresses.  Yes, I know there are other means to do that, but I want my ASA/PIX/FWSM to do it without making me do so much work.</p> <p>Anyway, the fact that you have to use IPs brings up some interesting problems.  Let&rsquo;s say you have a server in a DMZ that needs to query Google for some content.  Since you&rsquo;re a hard-ass network guy like I am, you tell the admin that they have provide the data flow they want to use &ndash; source IP, destination IP, protocol, port.  They come back and tell you that they need their server to connect via HTTP to 74.125.45.100.  You put in the rules as given, but the IP has suddenly changed on you.</p> https://a996c8ee.aww-3cz.pages.dev/posts/2009/10/object-groups-in-the-asafwsmpix/ Thu, 01 Oct 2009 00:00:00 +0000 https://a996c8ee.aww-3cz.pages.dev/posts/2009/10/object-groups-in-the-asafwsmpix/ <p>I can&rsquo;t believe I haven&rsquo;t talked about <em>object-groups</em> yet.  I had a whole other blog entry written up, and, when I went to link things over, I realized I couldn&rsquo;t find an intro to it.  Here it goes.</p> <p>Welcome to the modern world.  A world of wonder.  A world of quickly-advancing technology.  A world where clusters of machines sit behind load balancers for scalability and availability.  A world where those clusters need access to other clusters.  A world where your firewall rulebase gets so big that it&rsquo;s unreadable without some help.</p>