Fwd: [fw-wiz] firewall rule lifecycle management

From: Brenno Hiemstra (brenno.hiemstra_at_gmail.com)
Date: 08/31/05

  • Next message: Chuck Swiger: "Re: [fw-wiz] Windows VPN/RRAS traffic through watchguard" 
    To: firewall-wizards@honor.icsalabs.com
Date: Wed, 31 Aug 2005 14:51:55 +0200

    forgot to include the mailinglist.

    > ---------- Forwarded message ----------
    > From: Brenno Hiemstra <brenno.hiemstra@gmail.com>
    > Date: Aug 31, 2005 11:06 AM
    > Subject: Re: [fw-wiz] firewall rule lifecycle management
    > To: Michael Cox <michael@wanderingbark.net>
    >
    > Michael,
    >
    > We use a webbased solution where people need to supply their firewall rules.
    > When they fill in the form they need to provide detailed information (source
    > IP, destination IP, destination port, etcetera). This also needs to be
    > validated by the firewall team.
    >
    > When all the bureaucratic stuff is done the rule is getting a tracking
    > number which is also put into the firewall rulebase as 'more information'.
    > This way you can always go back and track the rule to see what it was about.
    >
    > Each rule has a lifecycle of 1 year where it needs to be re-validated by a
    > responsible person. If that doesn't happen, or the user removed the rule in
    > the system, the rule is removed from the firewall.
    >
    > You also need to keep logging information so you can track how much the rule
    > is being used. After a certain period of time (3 months eg.) you can think
    > about removing the rule from the firewall.
    >
    > Just a few options to think about.
    >
    >
    >
    >
    > Brenno.
    >
    > On 8/30/05, Michael Cox <michael@wanderingbark.net> wrote:
    > >
    > > Hi all.
    > >
    > > Question: What do those of you in large environments do to manage your
    > > rulesets in terms of removing access that is no longer required? We get
    > > lots of requests to add access, but are almost never told when
    > > something can be removed. This is a large corporation with lots of
    > > subcontractors, B2B, etc., and we're looking for ideas on how others
    > > get a handle on this (or does anybody?).
    > >
    > > Thanks in advance!
    > > Michael
    > > _______________________________________________
    > > firewall-wizards mailing list
    > > firewall-wizards@honor.icsalabs.com
    > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > >
    ~*e,ڭ&j)b b~*e,ڭ!z+ihrƥioj)fjb?~*e,

  • Next message: Chuck Swiger: "Re: [fw-wiz] Windows VPN/RRAS traffic through watchguard"

    Relevant Pages

    • Re: IE 6 Cant connect to net
      ... "John Blair" wrote in message ... > Most of the time I don't run a firewall on that machine, ... I can no longer ping. ... >>Michael Solomon MS-MVP ...
      (microsoft.public.windowsxp.general)
    • Re: Michael
      ... Hmm - If you disabled ZoneAlarm, it should be blocking it. ... Chad A. Gross - SBS MVP ... Michael wrote: ... > firewall off in Zone Alarm settings)? ...
      (microsoft.public.windows.server.sbs)
    • Re: IE 6 Cant connect to net
      ... have you checked to make sure your firewall isn't blocking access. ... Michael Solomon MS-MVP ... > Over the last 2 weeks I've spent over 10 hrs trying to ... > the Knowledge Base to no avail. ...
      (microsoft.public.windowsxp.general)
    • Re: ESENT-Fehler 454 & 494 im Anwendungsprotokoll einer ! XP-Workstation ?
      ... Michael Kensy schreibselte am 25.September 2004 ... Ausnahmen der SP2 Firewall einzutragen. ...
      (microsoft.public.de.german.windowsxp.sonstiges)
    • Re: Windows Firewall will not disable!
      ... This is also a firewall app and is ... As soon as I turned off the Internet Worm Protection the firewall ... > In memory of our dear friend, ... > Michael Solomon MS-MVP ...
      (microsoft.public.windowsxp.general)