Search This Blog

Monday, October 26, 2009

firewall-wizards Digest, Vol 42, Issue 9

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: secure firewall rule management program (Avishai Wool)


----------------------------------------------------------------------

Message: 1
Date: Fri, 23 Oct 2009 14:58:31 +0200
From: Avishai Wool <yash@acm.org>
Subject: Re: [fw-wiz] secure firewall rule management program
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, morty+fw-wiz@frakir.org
Cc: avishai.wool@algosec.com
Message-ID:
<8a9b1fe30910230558q65c64861oaf98005620e77b92@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Mordechai,

AlgoSec FireFlow does pretty much exactly what you need.
It is definitely topology aware and can tell you which firewalls
you should modify to meet a change request.
It has rule expiration built in.
Supports Check Point, Cisco, Juniper, Fortinet.

http://www.algosec.com

Avishai

disclaimer: I'm AlgoSec CTO & Co-Founder so I'm biased.

On 9/3/09, Mordechai T. Abzug <morty+fw-wiz@frakir.org> wrote:
> Anyone have suggestions for a good, secure webified firewall rule
> management program? I.e. the kind of thing where users submit
> requests for firewall holes and there's support for workflow so that a
> requested rule goes to an approver for approval, and if approved, it
> then goes to an implementer for implementation. COTS or free is fine.
>
> Requirements:
>
> * Secure code! The firewall request system should not itself be a
> security hole.
>
> * The system should allow users to submit rule requests, to be
> approved by designated "approvers", and if approved, implemented by
> designated "implementers".
>
> * Awareness of firewall topology. I.e. the product needs to be aware
> of which firewalls a given request traverses so this information can
> be available to approvers and implementers.
>
> * The system should include a notion of rule expiration, with
> attendant workflow.
>
> * The system should support change requests to existing rules, with
> attendant approver/implementer workflow.
>
> * The ability to abstract users into departments or projects,
> ie. instead of the rule for the accounting web server belonging to
> an individual, it belongs to "accounting". Even better if an
> individual can submit for multiple projects, ie. a sysadmin who
> works for both accounting and marketing can annotate "this rule
> belongs to accounting" and the like.
>
> * Sane role/permissions scheme, ie. user from department 1 can't
> modify rule requests for department 2, and the like.
>
> Desirements:
>
> * The ability to export rulesets into popular firewall formats
>
> * The ability to import existing rules from popular firewall formats
>
> * The ability to search for IPs in rules using CIDR specifications
>
> * COTS or free. We have some budget, but if there is something free,
> we certainly won't complain.
>
> [People who have been around a while might remember that I asked this
> question some years ago. Unfortunately, there were no answers other
> than some private, "yes, we'd like that too."]
>
> - Morty
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 42, Issue 9
***********************************************

No comments: