Firewall Wizards mailing list archives
Q. Enterprise firewall Management Tool - Am I dreaming?
From: Alan Morewood <morewood () on bell ca>
Date: Fri, 2 Oct 1998 10:04:40 -0400 (EDT)
Firewall vendors have asked me, when I have reviewed their firewalls, what it is I would add or change to their product. My response is that I have not seen a firewall with an enterprise management system. This type of management system would give the project contacts the ability to fill in most of their access requirements in a very short notice. The data would be entered into the firewall management system in a format which would allow a firewall manager to merely approve or deny a request. Rules would be removed automatically when they expire. Contact information would stay up to date, within a year or whatever period is defined as the maximum expiry period for a project/contract. The auditors would have something to audit against which would have all the necessary information. Most importantly, it moves some of the management costs to the individual projects reducing the costs allocated to the firewall group. Further, it would facilitate the work of the firewall group and would ease tracking of project requests; when a project contact claims requests take too long to process the firewall group could easily identify when the request for access arrived. Sometime in the future it may even be feasible to have digital signatures used to ensure that the project contact is really the project contact and that the firewall approval is done by a firewall manager. This type of database with nice (web) forms and queries would take a while to develop. Perhaps a company like Jetform already has a tool to do this? Or maybe one of the firewall vendors or third party vendors has something like this for specific firewall products? There are a few key parts to this: .The users fill in the data, it is only approved by the firewall group (client software should already be available if possible) .rules get removed automatically when they expire .users get warned that their access is about to expire Anybody have any ideas as to any products which can do all this? I would think that a firewall vendor would have a significant advantage on the market if they had a product which could do this. Further, a vendor neutral version of this could become a big player in the market . In a large company, routers with ACLs managed using such a tool would probably be more secure than the most technically advanced firewalls managed without such a tool. Al Here is the way that I see an enterprise firewall management system: 1. a project leader goes to a web page and fills in some details which are automatically entered into a database: . project name . project purpose . project sensitivities . project contacts (business, technical, etc..) (phone & email address) . project start date . project end date . etc... My idea of a project might be a single administrator who has hired an external contractor to develop an application, or it could be an enterprise wide service which is contracted to a specific department on a private portion of an enterprise WAN. The project contact(s) will most likely be employees. 2. the project leader then fills in the rules that are necessary for her project. ie. access from: XYZ.company (maybe list from IP network, if known) via: (selected gateway if known) to: site 10.0.1.126/32 service http Both the site and the service field would need to be flexible to allow many sites/services, and to allow specific port numbers. Perhaps some form of batch uploads are needed, although this could be handled using a different front end if necessary. 3. the firewall department then reviews the access requirements to see if they meet the corporate standards. If all is acceptable, then the rules are approved. Timestamp and firewall manager identified. 4. the project leader then identifies who from the remote site is authorized to access her project ie. access from "Joe Blow", if firewall does user authentication or access from "10.2.0.1", if firewall is based on IP address if "Joe Blow" is external to the company, then an account would need to be generated which identifies Joe, what company he works for, the expiry date of his contract, etc. 5. the firewall department then adds user Joe to the list of authorized users, or completes the access requirement list source IP address if authentication at the firewall is not being done. 6. Every night, or continuously, an extract is done from the firewall database. The query would begin by looking for projects, user and rule expire dates and see if any expire within the next 30 days; if so email is sent to the project contact to ensure that she is aware of a rule set which is about to expire. Then, a query is done to find all approved rules for firewall A which are "started" but not "expired" and these rules are extracted from the database. These rules would then need to be formatted into something the firewall understood. Perhaps ACLs for a router, perhaps commands for a firewall interface; depending on the platform only the deltas might be sent. Similar queries would be run for all other firewalls. -end
Current thread:
- Q. Enterprise firewall Management Tool - Am I dreaming? Alan Morewood (Oct 02)