Security Policy

["Wolfgang 'Robyn' Braun" <braun () cassandra kiosk ch>]

Greetings

I'm currently working here for this organisation in switzerland, one
of my main jobs being to come up with a (hopefully reliable) firewall
solution. So for some weeks now i read Chapman & Zwicky's book on
firewalls, various security related newsgroups and mailing lists and
chase every bit of information about firewall tools that i can find. 

That's all ok so far. I made myself familiar with the tools i want to
use and tested them out on a subnet i set up especially for this 
purpose.
But since i'm subscribed to firewall-wizards, i get the feeling that
something very basic is missing, and last night i found out what it 
is: A Security Policy!

You can really find tons of information on how to set up your screening
routers, creating decent packet filter rules and setting up various
application level proxies. But so far i didn't find any information
on how to write a secuity policy - and i feel that it is rather important
to have one if only to show it to the pointy haired manager. 

Don't get me wrong, i know what should be allowed across the firewall
and i know how to implement it (actually i already did it on my 
private subnet) - but i really don't know how to write a security 
policy. Is there some sort of guideline on how to write a security 
policy?

regards
wolfi



-- 
-> Wolfgang Braun <braun () ai-lab fh-furtwangen de>
-> http://www2.ai-lab.fh-furtwangen.de/~braun
-> PGP Key fingerprint = F9 49 DC 2E A2 FC 5A 4C  91 70 8E AC 07 A7 27 98
-> finger me for public key

Attachment: _bin
Description: