Firewall Wizards mailing list archives
Re: secure firewall rule management program
From: rainer.ginsberg () basf-it-services com
Date: Thu, 10 Sep 2009 11:03:35 +0200
Hi Morty, I know of three commercial products that claim to fulfill most of your requirements. I haven't used them nor even seen a demo, so I can't share any experience. They are (in alphabetical order) - AlgoSec FireFlow < http://www.algosec.com/en/products/fireflow_overview.php> - Check Point SmartWorkflow < http://www.checkpoint.com/products/softwareblades/smartworkflow.html> - Tufin SecureChange Workflow < http://www.tufin.com/products_securechange_workflow.php> While Check Point's product only works for their line of firewalls, the other two products claim to support multiple firewall vendors. Best regards, Rainer Rainer Ginsberg Security, Voice & Network Planning Phone: +49 621 60-94660, Fax: +49 621 60-6694660, E-Mail: rainer.ginsberg () basf-it-services com Postal Address: BASF IT Services GmbH, IN-CP - C010, 67059 Ludwigshafen, Germany www.basf-it-services.com BASF IT Services GmbH, Registered Office: 67059 Ludwigshafen, Germany Companies' Register: Amtsgericht Ludwigshafen, HRB 3541 Managing Directors: Andreas Biermann, Dr. Ralf Sonnberger Chairman of the Supervisory Board: Andrew Pike "Mordechai T. Abzug" <morty+fw-wiz@fra To kir.org> firewall-wizards@listserv.cybertrus Sent by: t.com firewall-wizards- cc bounces@listserv. icsalabs.com Subject [fw-wiz] secure firewall rule management program (Plain) 03.09.2009 09:18 Please respond to Firewall Wizards Security Mailing List <firewall-wizards @listserv.icsalab s.com> Anyone have suggestions for a good, secure webified firewall rule management program? I.e. the kind of thing where users submit requests for firewall holes and there's support for workflow so that a requested rule goes to an approver for approval, and if approved, it then goes to an implementer for implementation. COTS or free is fine. Requirements: * Secure code! The firewall request system should not itself be a security hole. * The system should allow users to submit rule requests, to be approved by designated "approvers", and if approved, implemented by designated "implementers". * Awareness of firewall topology. I.e. the product needs to be aware of which firewalls a given request traverses so this information can be available to approvers and implementers. * The system should include a notion of rule expiration, with attendant workflow. * The system should support change requests to existing rules, with attendant approver/implementer workflow. * The ability to abstract users into departments or projects, ie. instead of the rule for the accounting web server belonging to an individual, it belongs to "accounting". Even better if an individual can submit for multiple projects, ie. a sysadmin who works for both accounting and marketing can annotate "this rule belongs to accounting" and the like. * Sane role/permissions scheme, ie. user from department 1 can't modify rule requests for department 2, and the like. Desirements: * The ability to export rulesets into popular firewall formats * The ability to import existing rules from popular firewall formats * The ability to search for IPs in rules using CIDR specifications * COTS or free. We have some budget, but if there is something free, we certainly won't complain. [People who have been around a while might remember that I asked this question some years ago. Unfortunately, there were no answers other than some private, "yes, we'd like that too."] - Morty _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- secure firewall rule management program Mordechai T. Abzug (Sep 09)
- Re: secure firewall rule management program rainer . ginsberg (Sep 10)