Firewall Management Using DSC/CHEF

I’m curious to hear others idea on the following scenario:

  • I have 9 different OUs with different firewall rules on each, managed by GPO (a pain trust me).
  • Starting in roughly 2 weeks all of these machines will be 2012R2 (most are already).

I would like to shift from Group Policy to DSC/ and our existing Chef infrastructure to manage all these instead. My first step would be compiling all the firewall rules and creating our base set of rules (ones that exist in each OU). The second step is going to be creating the unique rules per each ou. And the final would be deploying.

My questions are:

  • Does anyone have a better idea on correlating the existing rules besides going manually through them and finding the common ones?
  • With the current xNetworking set it seems that I can add new rules; how can I go about ensuring only my “DSC firewall rules” exist in the windows firewall ruleset? (My thought here is worse case scenario at the beginning of the chef script I’ll just go through and wipe all the rules and reapply - although this will create some momentary security issues. )
  • As far as I can tell I can only ensure that rules are present - is there a way to ensure that the state of the “Domain” (for instance) is enabled?

[blockquote]– Does anyone have a better idea on correlating the existing rules besides going manually through them and finding the common ones?[/blockquote]
Nope. Nobody’s made any tools to do so, yet.

[blockquote]– With the current xNetworking set it seems that I can add new rules; how can I go about ensuring only my “DSC firewall rules” exist in the windows firewall ruleset? (My thought here is worse case scenario at the beginning of the chef script I’ll just go through and wipe all the rules and reapply – although this will create some momentary security issues.) [/blockquote]

Not exactly. xNetworking doesn’t “add new rules;” it makes sure specified rules exist. That said, you’ll probably have to experiment a bit to make sure it does what you need.

[blockquote]– As far as I can tell I can only ensure that rules are present – is there a way to ensure that the state of the “Domain” [for instance] is enabled?[/blockquote]

It doesn’t look like Microsoft’s resource does that. You might look at the cNetworking resource in our DSC Hub GitHub repo, though. The community’s been very active in expanding on Microsoft’s work.

Don,

Thanks. I actually found some ways around this and was going to post back.

First I took machines from each OU and using

 invoke-command computername {get-netfirewallrule -policystore Active | select DisplayName | sort DisplayName } | out-gridview 
dumped those results for machines in each tier to excel.

Using those results created a pivot table to find the rules that exist across all tiers. (Side Note: pivot tables got easy in excel 2013)

Then using Carbon DSC (https://powershell.org/forums/topic/carbon-2-0-alpha-26-released/) - re-wrote my rules in powershell.

My remaining step is figure out how to integrate this with our Chef environment (using a ps1 or dsc_script) - but I don’t think that will be all that hard.

I will make sure to take a look at cNetworking though.

Configuration management should be idempotent. deleting all the rules would actual block all traffic for the duration of applying the configuration.

Agreed - I’ve decided to pivot on that because I realized that after the fact. We’re setting up baseling monitoring in SCCM so should the ruleset change we can go in and take a look. The rules I’m writing now will simply add them if they do not exist - no removal.

Just took a look at Carbon.

their DSC script and INI resources are going to be a godsend for me. We need a list of all DSC resources that are out there to avoid re-inventing the wheel.

I cant wait for WMF 5 and PowerShellGet (assuming they support Win7/2008r2, I cant get rid of them fast enough)

Definitely. Thanks to chef being out there I can use the DSC file resource to pull the necessary ones to my machines using SMB.