Search This Blog

Thursday, September 10, 2009

firewall-wizards Digest, Vol 41, Issue 1

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. secure firewall rule management program (Mordechai T. Abzug)
2. VOIP in the field today (Dave Piscitello)
3. Re: VOIP in the field today (ArkanoiD)


----------------------------------------------------------------------

Message: 1
Date: Thu, 3 Sep 2009 03:18:42 -0400
From: "Mordechai T. Abzug" <morty+fw-wiz@frakir.org>
Subject: [fw-wiz] secure firewall rule management program
To: firewall-wizards@listserv.cybertrust.com
Message-ID: <20090903071842.GD11404@red-sonja>
Content-Type: text/plain; charset=us-ascii

Anyone have suggestions for a good, secure webified firewall rule
management program? I.e. the kind of thing where users submit
requests for firewall holes and there's support for workflow so that a
requested rule goes to an approver for approval, and if approved, it
then goes to an implementer for implementation. COTS or free is fine.

Requirements:

* Secure code! The firewall request system should not itself be a
security hole.

* The system should allow users to submit rule requests, to be
approved by designated "approvers", and if approved, implemented by
designated "implementers".

* Awareness of firewall topology. I.e. the product needs to be aware
of which firewalls a given request traverses so this information can
be available to approvers and implementers.

* The system should include a notion of rule expiration, with
attendant workflow.

* The system should support change requests to existing rules, with
attendant approver/implementer workflow.

* The ability to abstract users into departments or projects,
ie. instead of the rule for the accounting web server belonging to
an individual, it belongs to "accounting". Even better if an
individual can submit for multiple projects, ie. a sysadmin who
works for both accounting and marketing can annotate "this rule
belongs to accounting" and the like.

* Sane role/permissions scheme, ie. user from department 1 can't
modify rule requests for department 2, and the like.

Desirements:

* The ability to export rulesets into popular firewall formats

* The ability to import existing rules from popular firewall formats

* The ability to search for IPs in rules using CIDR specifications

* COTS or free. We have some budget, but if there is something free,
we certainly won't complain.

[People who have been around a while might remember that I asked this
question some years ago. Unfortunately, there were no answers other
than some private, "yes, we'd like that too."]

- Morty


------------------------------

Message: 2
Date: Wed, 09 Sep 2009 08:13:53 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: [fw-wiz] VOIP in the field today
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4AA79C01.3030700@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"

I've been away from this topic for a while but am curious.

Has any progress has been made in deploying VOIP without having to use
underlying security protocols (SSL/TLS or IPSEC) to secure the VOIP
signaling and media streams?

Are any folks using network edge devices to secure VOIP, e.g.,
"VOIP-aware" firewall or secure voice proxies? Are you complementing
these with MAC level encryption from endpoint-to-proxy/endpoint-to-edge?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090909/b768b66e/attachment-0001.bin>

------------------------------

Message: 3
Date: Wed, 9 Sep 2009 23:28:44 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] VOIP in the field today
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20090909192844.GA721@eltex.net>
Content-Type: text/plain; charset=koi8-r

Well, there is SRTP/ZRTP. For SIP TLS is wide accepted.

Having a proxy that will add encryption would be nice, but most people
just tunnel VoIP connections over VPN.

On Wed, Sep 09, 2009 at 08:13:53AM -0400, Dave Piscitello wrote:
> I've been away from this topic for a while but am curious.
>
> Has any progress has been made in deploying VOIP without having to use
> underlying security protocols (SSL/TLS or IPSEC) to secure the VOIP
> signaling and media streams?
>
> Are any folks using network edge devices to secure VOIP, e.g.,
> "VOIP-aware" firewall or secure voice proxies? Are you complementing
> these with MAC level encryption from endpoint-to-proxy/endpoint-to-edge?
>
> email protected and scanned by AdvascanTM - keeping email useful -
> www.advascan.com
>


> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 41, Issue 1
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)