Security Basics mailing list archives
RE: DMZ / Firewall rule diagramming
From: "Jackson, Gary" <Gary.Jackson () tectura com>
Date: Tue, 7 Dec 2004 21:37:48 -0700
Checkpoint Visual Policy Editor offers some funtionality in that area, but it's still limited. I haven't found any kind of rules-to-diagram parser for i.e. iptables. Maybe time to write something. -----Original Message----- From: Craig Humphrey [mailto:Craig.Humphrey () chapmantripp com] Sent: Sun 12/5/2004 8:34 PM To: security-basics () securityfocus com Cc: Michael Gale Subject: RE: DMZ / Firewall rule diagramming Hi Michael,
From the responses I'm getting, I don't think I explained the situation
very well. I'm not after "how to write rules" or "what rules should I have". I'm looking for a generic way to diagram the rules I already have. Preferably something nice a visual (like Visio), but even Visio starts to get cumbersome with a complex DMZ, even breaking flows/rules into layers only goes so far. I was hoping that the industry had developed some formal standards for diagramming DMZs and flows/rules. Thanks Craig
-----Original Message----- From: Michael Gale [mailto:michael.gale () bluesuperman com] Sent: Monday, December 06, 2004 3:26 PM To: Craig Humphrey; security-basics () securityfocus com Subject: Re: DMZ / Firewall rule diagramming Hello, Check out some firewall appliances ... most of them have some sort of standard. For example I used the following: Connections from Internal to the DMZ are allowed if they match one of the forward rules on the firewall. The forward rules only allow packets from sources addresses to destination addresses on specific ports which are ruled to be a business requirement. For connections coming from the DMZ to the internal network which are required for business (Example. Postfix SMTP server to forward mail on to Exchange). The DMZ server connects to a proxy or a NATing rule. DMZ server never know the IP of a internal server, the DMZ network has the same relations with the internal network as the external network does with the DMZ. So the DMZ mail server would connect it port 25 on the firewall and that traffic would get forwarded to the Exchange server. That is the standard that I use ... was this what you were looking for ? Michael
Current thread:
- Re: DMZ / Firewall rule diagramming, (continued)
- Re: DMZ / Firewall rule diagramming Charles mckee (Dec 02)
- Re: DMZ / Firewall rule diagramming Michael Gale (Dec 06)
- RE: DMZ / Firewall rule diagramming Craig Humphrey (Dec 03)
- Re: DMZ / Firewall rule diagramming Spigga (Dec 06)
- RE: DMZ / Firewall rule diagramming Craig Humphrey (Dec 07)
- Re: DMZ / Firewall rule diagramming Michael Gale (Dec 06)
- Re: DMZ / Firewall rule diagramming Spigga (Dec 07)
- Re: DMZ / Firewall rule diagramming Spigga (Dec 08)
- Re: DMZ / Firewall rule diagramming Michael Gale (Dec 06)
- RE: DMZ / Firewall rule diagramming aldr1c (Dec 08)
- RE: DMZ / Firewall rule diagramming Gaydosh, Adam (Dec 08)
- RE: DMZ / Firewall rule diagramming Jackson, Gary (Dec 08)
- RE: DMZ / Firewall rule diagramming Craig Humphrey (Dec 08)
- RE: DMZ / Firewall rule diagramming Craig Humphrey (Dec 08)
- RE: DMZ / Firewall rule diagramming Craig Humphrey (Dec 09)