Firewall Wizards mailing list archives

Re: Security Policy

From: Bill_Royds () pch gc ca
Date: Wed, 22 Oct 1997 11:19:28 -0400

 What I did when we set up our firewall was make a set of policy matrices.
The main one was a list of services (with a short description) as rows and
with security domains as columns
Service        External  DMZ       Internal
---------------------------------------------------------------------------
--------
http |    to        to        from
ftp  |    to        to        from

etc.
Explaining the sources and sinks of possible connections.
Later matrices were expanded to have rules for every server on DMZ and any
particular rules (smtp was allowed into internal only from
a particular trusted server on DMZ acting as mail hub, etc.)  The table
format (using a spreadsheet)  helped explain the implications of the
implict
(Everybody allowed out, nobody allowed in) security policy.






braun () cassandra kiosk ch on 97-10-20 09:20:59 AM

Please respond to braun () cassandra kiosk ch

To:   firewall-wizards () nfr net
cc:    (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  Security Policy




Greetings
I'm currently working here for this organisation in switzerland, one
of my main jobs being to come up with a (hopefully reliable) firewall
solution. So for some weeks now i read Chapman & Zwicky's book on
firewalls, various security related newsgroups and mailing lists and
chase every bit of information about firewall tools that i can find.
That's all ok so far. I made myself familiar with the tools i want to
use and tested them out on a subnet i set up especially for this
purpose.
But since i'm subscribed to firewall-wizards, i get the feeling that
something very basic is missing, and last night i found out what it
is: A Security Policy!
You can really find tons of information on how to set up your screening
routers, creating decent packet filter rules and setting up various
application level proxies. But so far i didn't find any information
on how to write a secuity policy - and i feel that it is rather important
to have one if only to show it to the pointy haired manager.
Don't get me wrong, i know what should be allowed across the firewall
and i know how to implement it (actually i already did it on my
private subnet) - but i really don't know how to write a security
policy. Is there some sort of guideline on how to write a security
policy?
regards
wolfi


--
-> Wolfgang Braun <braun () ai-lab fh-furtwangen de>
-> http://www2.ai-lab.fh-furtwangen.de/~braun
-> PGP Key fingerprint = F9 49 DC 2E A2 FC 5A 4C  91 70 8E AC 07 A7 27 98
-> finger me for public key

Attachment: att1.unk
Description:

Current thread:

Security Policy Wolfgang 'Robyn' Braun (Oct 21)
- Re: Security Policy Fred Donck (Oct 22)
- Re: Security Policy Damir Rajnovic (Oct 22)
  - Re: Security Policy Paul Pomes (Oct 23)
- Re: Security Policy Adam Shostack (Oct 22)
- Re: Security Policy Bennett Todd (Oct 22)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- <Possible follow-ups>
- Re: Security Policy Bill_Royds (Oct 22)
- RE: Security Policy Januszewski, Joseph (Oct 23)
- Re: Security Policy H. Morrow Long (Oct 23)
- RE: Security Policy McKenna, Joe (Oct 23)
  - Re: Security Policy Bennett Todd (Oct 24)