Community Sourcing Wish List: Wireshark to Group Policy
In locked down environments (default deny all) I frequently have to craft firewall rules sets, often in dedicated group policies, to allow IoT devices to talk to the Internet and work.
The thing is - IoT developers are sh*t at writing firewall documentation. The problem is exasperated because they themselves are often using other libraries, modules and cloud services and they are not aware of the firewall requiements of all of those services (or forget they need to include them) - or don't realise they also need to include all of those requirements to allow the customer to form a complete working solution.
It's so bad I often only glance over their documentation these days to get the jist.
Instead I whitelist the device. You start with the device powered off. Then I start a long running packet capture. Then you power on the device. You then get the user to do everything that is required for the IoT device. Then you can stop the packet capture.
From this point I then create filters in Wireshark like udp.port==53 and extract out all the DNS responses. Then I look at the flows to those IP addresses and create FQDN rules for the ports specified.
Then I delete anything I don't want that IoT device to access. You would not believe the amount of crap Windows based IoT devices access (does it really need to access the Bing map service to measure the fridge temperature?).
Often that gets a full rule base. Sometimes you get the odd IoT device that accesses cloud based services using hard coded IP addresses (e,g. DNS servers) so I need to add a small number of rules specifying IP addresses instead of DNS names.
I would be really great if someone (I'm looking at you) could write a pcap to group policy tool. It would save me a lot of time. It would also allow everyone to be a lot more vigilent with their IoT devices with their varying levels of code quality.
If you don't I'm going to have to write it. And I'm too busy manually doing this process to do it right now. I can wait till tomorrow, so take your time.