Re: secure firewall rule management program

[Avishai Wool <yash () acm org>]

Mordechai,

AlgoSec FireFlow does pretty much exactly what you need.
It is definitely topology aware and can tell you which firewalls
you should modify to meet a change request.
It has rule expiration built in.
Supports Check Point, Cisco, Juniper, Fortinet.

http://www.algosec.com

Avishai

disclaimer: I'm AlgoSec CTO & Co-Founder so I'm biased.



On 9/3/09, Mordechai T. Abzug <morty+fw-wiz () frakir org> wrote:
> Anyone have suggestions for a good, secure webified firewall rule
> management program?  I.e. the kind of thing where users submit
> requests for firewall holes and there's support for workflow so that a
> requested rule goes to an approver for approval, and if approved, it
> then goes to an implementer for implementation.  COTS or free is fine.
>
> Requirements:
>
> * Secure code!  The firewall request system should not itself be a
>  security hole.
>
> * The system should allow users to submit rule requests, to be
>  approved by designated "approvers", and if approved, implemented by
>  designated "implementers".
>
> * Awareness of firewall topology.  I.e. the product needs to be aware
>  of which firewalls a given request traverses so this information can
>  be available to approvers and implementers.
>
> * The system should include a notion of rule expiration, with
>  attendant workflow.
>
> * The system should support change requests to existing rules, with
>  attendant approver/implementer workflow.
>
> * The ability to abstract users into departments or projects,
>  ie. instead of the rule for the accounting web server belonging to
>  an individual, it belongs to "accounting".  Even better if an
>  individual can submit for multiple projects, ie. a sysadmin who
>  works for both accounting and marketing can annotate "this rule
>  belongs to accounting" and the like.
>
> * Sane role/permissions scheme, ie. user from department 1 can't
>  modify rule requests for department 2, and the like.
>
> Desirements:
>
> * The ability to export rulesets into popular firewall formats
>
> * The ability to import existing rules from popular firewall formats
>
> * The ability to search for IPs in rules using CIDR specifications
>
> * COTS or free.  We have some budget, but if there is something free,
>  we certainly won't complain.
>
> [People who have been around a while might remember that I asked this
> question some years ago.  Unfortunately, there were no answers other
> than some private, "yes, we'd like that too."]
>
> - Morty
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards