Re: [fw-wiz] Security policy language




The closest I've seen anyone get is Avishai Wool's firewall rules parser.
It's been a couple of years, so I can't speak for its condition now, but at
the time I looked at it it was the nearest thing I'd ever seen to a tool for
comparing firewall security configurations across multiple devices and
(eventually) multiple firewall vendors.

Thanks Tina!

FYI, the technology is available and actively developed
http://www.algosec.com
It's still focused on just the firewall - we don't claim to solve all security
problems with one piece of software... So, we don't look at, e.g., the database
access control in the back-end system, or at human processes, or <fill in blank>

IMHO, Firewalls offer rather rich configuration
languages - rich enough for many organizations to get royally messed up -
but are still structured enough so an automatic system can understand
the policy and check it for gross errors and sloppy details. across multiple
vendors and for all levels of rule complexity.

I think the original poster was more interested in the "Firmato" system we did
back in Bell Labs in 1998, which was a firewall rule compiler that had a
rather high-level specification language (separate policy from network
specifics! -
you could actually write a single generic policy and apply it to
different firewalls,
with different numbers of interfaces, and different vendors!). It also was a
flat-text-file language - you could write multi-line comments wherever
you wanted, not just in the Comments field in a point-and-click GUI :)
Tom Limoncelli actually
used it to configure the Bell Labs operational firewall for a few
months, which I
always thought was pretty cool. That project
didn't go too far commercially - read our TOCS paper for a historical
perspective
and tech details - available from
http://www.eng.tau.ac.il/~yash/fw/index.html

The original poster is exactly right that we invented an "ad hoc language" using
bison and flex. Sure did. But the syntax, and tools, are mostly irrelevant. The
_concepts_ and _algorithms_ are the important part. You could use the same
concepts and format them in XML or whatever meta-syntax-du-jour you go for
these days ...


But that's a *long* way from a "security policy language." It's a poorly
defined goal: it incorporates machines, networks, workflow, business
practices *and* political maneuvering all in one big bowl o' muck.

yeah, sure - but if you start with such a tall order, the likely outcome is
futile frustration (or a $50BN government project overrun 10 years
past its projected
deadline :-). I prefer to aim lower, to something challenging, but still
within reach...

Avishai
--
Avishai Wool, Ph.D.,
Chief Technical Officer, Algorithmic Security Inc.
http://www.algosec.com
******* Firewall Management Made Smarter *******
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] Security policy language
    ... something that should let to specify the policy at organizational ... sensible policy in terms of just firewall rules?? ... The policy describes a set of required security features -- it's then ... Creating a language to describe the enterprise level policy, therefore, is ...
    (Firewall-Wizards)
  • Re: messages from dhclient
    ... >> Bob Hall ... Don't turn off the firewall. ... Replace ${router} with the router IP address. ... you load new firewall rules by ...
    (freebsd-questions)
  • Re: Help writing a iptables rule
    ... 'guarddog' is one of many helpers that tries to create firewall rules ... Most firewall setups are over-written and not well planned. ... guarddog produces a bash script. ... The other case where this would occur is if your kernel ...
    (comp.security.firewalls)
  • Re: Linux Home Server HOWTO - Open For Review
    ... > ntpd do not need firewall rules to permit their response. ... You are correct with both the FC3 initscripts and the firewall rules, ...
    (Fedora)
  • Re: [opensuse] no network browse after todays kernel upgrade
    ... So, I edited the firewall rules, and added also: ... UDP needs 137 and 138 at least. ... which would have reloaded the firewall, ... This does not allow me to browse the network, I do not see any domain ...
    (SuSE)