Firewall Wizards mailing list archives

Re: Security policy language

From: Matthew Hannigan <mlh () zip com au>
Date: Thu, 25 Jan 2007 10:56:05 +1100

On Wed, Jan 24, 2007 at 09:51:13AM +0100, Marco Cremonini wrote:

Hi all,
     I would like to ask you a suggestion for a project we are  
developing.
The project aims to automate some monitoring functionality with  
firewall policy management (just iptables, at present).
The problem is: We would like to implement/adopt a high-level  
specification language for the definition of a security policy,  
something that should let to specify the policy at organizational  
level. Such a policy should then  be translated into specific fw rules.
[ .. ]


It's probaby not high level enough for you, but are you
aware of http://www.fwbuilder.org/ ?

Here's an excerpt from the FAQ.  It does cisco pix as well,
but that costs.



Frequently Asked Questions for Firewall Builder 2.0 and 2.1
Vadim Kurland

  vadim () fwbuilder org
Revision History
Revision $Revision: 1.6 $       $Date: 2007/01/06 20:09:22 $    Revised by: vk

Firewall Builder consists of an object-oriented GUI and a set of
policy compilers for various firewall platforms. In Firewall Builder,
a firewall policy is a set of rules; each rule consists of abstract
objects that represent real network objects and services (hosts,
routers, firewalls, networks, protocols). Firewall Builder helps
users maintain a database of objects and allows policy editing
using simple drag-and-drop operations.

Object databases are stored in XML format. The GUI and policy
compilers are completely independent. The GUI requires only minimal
changes in order to add support for a new firewall platform even
though a new policy compiler must be written. This provides for a
consistent abstract model and the same GUI for different firewall
platforms. Standardized XML data format opens possibility for
many user interfaces and policy compiler implementations, all
interchangeable.

We have policy compilers for the popular free firewalls iptables
http://www.iptables.org/, ipfilter http://coombs.anu.edu.au/~avalon/,
pf http://www.benzedrine.cx/pf.html. Because of the modular
architecture, Firewall Builder can be used to manage firewalls
built on a variety of platforms including, but not limited to, Linux
using iptables, ipfilter on FreeBSD or Solaris and pf on OpenBSD.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Security policy language Marco Cremonini (Jan 24)
- Re: Security policy language Marcus J. Ranum (Jan 24)
  - Re: Security policy language Tina Bird (Jan 24)
    - Re: Security policy language Avishai Wool (Jan 25)
- Re: Security policy language Dave Piscitello (Jan 24)
  - Re: Security policy language R. DuFresne (Jan 25)
- Re: Security policy language Stephen P. Berry (Jan 24)
- Re: Security policy language Matthew Hannigan (Jan 24)
- <Possible follow-ups>
- Re: Security policy language Jean-Denis Gorin (Jan 25)