Re: [fw-wiz] firewall rule lifecycle management

From: Kevin (kkadow_at_gmail.com)
Date: 08/31/05

  • Next message: Christoph Haas: "Re: [fw-wiz] firewall rule lifecycle management"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 30 Aug 2005 23:44:04 -0500
    
    

    On 8/30/05, Michael Cox <michael@wanderingbark.net> wrote:
    > Question: What do those of you in large environments do to manage your
    > rulesets in terms of removing access that is no longer required?

    This can be a real problem, especially for services which are only
    used for quarterly or biannual reports, if that often.

    We're just now migrating a number of B2B rules to new firewalls,
    and in this process we're discovering that fully half of the current
    rules are no longer used; in many cases the source or destination
    IP address no longer exists, often the employee listed as the
    contact on the original request is no longer with the company.

    Last week I was trying to track down a port and determined that the
    vendor offering the B2B service had been bought out, no longer
    exists under the original name. But the service is still running,
    I wonder if they know? (legacy firewall policies cut both ways!)

    > We get lots of requests to add access, but are almost never told when
    > something can be removed. This is a large corporation with lots of
    > subcontractors, B2B, etc., and we're looking for ideas on how others
    > get a handle on this (or does anybody?).

    Our Sidewinder G2 firewalls offers fields for an end time and date
    under the "authentication" settings for each rule, and we are starting
    to request a termination date for all "short term" requests and
    entering this into the firewall. The vendor also offers an add-on
    reporting tool which can provide rule-based reports showing
    unused rules in the active firewall policy. I haven't tried this yet,
    as the "Security Reporter" only runs on Windows.

    It should be interesting to see what happens six months down the road,
    when these rules start to expire...

    Kevin Kadow

    --
    Moderator, Unofficial Sidewinder Firewall Users group:
    http://groups.yahoo.com/group/sidewinder-users/
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Christoph Haas: "Re: [fw-wiz] firewall rule lifecycle management"

    Relevant Pages

    • Re: crack traces in /var ?
      ... Second time this year. ... Besides iptables ... am not reading the reports frequently - reports from programs I am ... the firewall for minutes and once unfortunately a lot longer: ...
      (Debian-User)
    • Re: Bug in XP Security Center?
      ... the Security Center reports everything OK. ... > later - several minutes - it reports that there is no Firewall. ... with your computer security is like trusting the Bush administration to ...
      (microsoft.public.windowsxp.general)
    • Re: Security Center Problem
      ... reports both as present. ... When I turned on the windows firewall the security ... Defender Pro support people and they were not able to resolve my problem. ... I had a similar problem with some AV software (maybe it was Comodo Firewall) and I found a solution on the maker's website ... ...
      (microsoft.public.windows.mediacenter)
    • Re: R: Auditing Router and Firewall - Checklist and Utils
      ... I've justed used a linux syslog and fwanalog for some summary reports - ... Vega - Brunello Ivan wrote: ... Auditing Router and Firewall - Checklist and Utils ... I have read about Nipper in case of Auditing Router, but haven't come across any equivalent utility for Cisco PIX. ...
      (Security-Basics)
    • Re: Bug in XP Security Center?
      ... the Security Center reports everything OK. ... The Windows Firewall reports that it is on and the ...
      (microsoft.public.windowsxp.general)