Firewall Wizards mailing list archives
Re: Security Policy
From: Bill_Royds () pch gc ca
Date: Wed, 22 Oct 1997 11:19:28 -0400
What I did when we set up our firewall was make a set of policy matrices. The main one was a list of services (with a short description) as rows and with security domains as columns Service External DMZ Internal --------------------------------------------------------------------------- -------- http | to to from ftp | to to from etc. Explaining the sources and sinks of possible connections. Later matrices were expanded to have rules for every server on DMZ and any particular rules (smtp was allowed into internal only from a particular trusted server on DMZ acting as mail hub, etc.) The table format (using a spreadsheet) helped explain the implications of the implict (Everybody allowed out, nobody allowed in) security policy. braun () cassandra kiosk ch on 97-10-20 09:20:59 AM Please respond to braun () cassandra kiosk ch To: firewall-wizards () nfr net cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: Security Policy Greetings I'm currently working here for this organisation in switzerland, one of my main jobs being to come up with a (hopefully reliable) firewall solution. So for some weeks now i read Chapman & Zwicky's book on firewalls, various security related newsgroups and mailing lists and chase every bit of information about firewall tools that i can find. That's all ok so far. I made myself familiar with the tools i want to use and tested them out on a subnet i set up especially for this purpose. But since i'm subscribed to firewall-wizards, i get the feeling that something very basic is missing, and last night i found out what it is: A Security Policy! You can really find tons of information on how to set up your screening routers, creating decent packet filter rules and setting up various application level proxies. But so far i didn't find any information on how to write a secuity policy - and i feel that it is rather important to have one if only to show it to the pointy haired manager. Don't get me wrong, i know what should be allowed across the firewall and i know how to implement it (actually i already did it on my private subnet) - but i really don't know how to write a security policy. Is there some sort of guideline on how to write a security policy? regards wolfi -- -> Wolfgang Braun <braun () ai-lab fh-furtwangen de> -> http://www2.ai-lab.fh-furtwangen.de/~braun -> PGP Key fingerprint = F9 49 DC 2E A2 FC 5A 4C 91 70 8E AC 07 A7 27 98 -> finger me for public key
Attachment:
att1.unk
Description:
Current thread:
- Security Policy Wolfgang 'Robyn' Braun (Oct 21)
- Re: Security Policy Fred Donck (Oct 22)
- Re: Security Policy Damir Rajnovic (Oct 22)
- Re: Security Policy Paul Pomes (Oct 23)
- Re: Security Policy Adam Shostack (Oct 22)
- Re: Security Policy Bennett Todd (Oct 22)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- Re: Security Policy Joseph S. D. Yao (Oct 23)
- <Possible follow-ups>
- Re: Security Policy Bill_Royds (Oct 22)
- RE: Security Policy Januszewski, Joseph (Oct 23)
- Re: Security Policy H. Morrow Long (Oct 23)
- RE: Security Policy McKenna, Joe (Oct 23)
- Re: Security Policy Bennett Todd (Oct 24)