Re: [fw-wiz] secure firewall rule management program



Mordechai,

AlgoSec FireFlow does pretty much exactly what you need.
It is definitely topology aware and can tell you which firewalls
you should modify to meet a change request.
It has rule expiration built in.
Supports Check Point, Cisco, Juniper, Fortinet.

http://www.algosec.com

Avishai

disclaimer: I'm AlgoSec CTO & Co-Founder so I'm biased.



On 9/3/09, Mordechai T. Abzug <morty+fw-wiz@xxxxxxxxxx> wrote:
Anyone have suggestions for a good, secure webified firewall rule
management program? I.e. the kind of thing where users submit
requests for firewall holes and there's support for workflow so that a
requested rule goes to an approver for approval, and if approved, it
then goes to an implementer for implementation. COTS or free is fine.

Requirements:

* Secure code! The firewall request system should not itself be a
security hole.

* The system should allow users to submit rule requests, to be
approved by designated "approvers", and if approved, implemented by
designated "implementers".

* Awareness of firewall topology. I.e. the product needs to be aware
of which firewalls a given request traverses so this information can
be available to approvers and implementers.

* The system should include a notion of rule expiration, with
attendant workflow.

* The system should support change requests to existing rules, with
attendant approver/implementer workflow.

* The ability to abstract users into departments or projects,
ie. instead of the rule for the accounting web server belonging to
an individual, it belongs to "accounting". Even better if an
individual can submit for multiple projects, ie. a sysadmin who
works for both accounting and marketing can annotate "this rule
belongs to accounting" and the like.

* Sane role/permissions scheme, ie. user from department 1 can't
modify rule requests for department 2, and the like.

Desirements:

* The ability to export rulesets into popular firewall formats

* The ability to import existing rules from popular firewall formats

* The ability to search for IPs in rules using CIDR specifications

* COTS or free. We have some budget, but if there is something free,
we certainly won't complain.

[People who have been around a while might remember that I asked this
question some years ago. Unfortunately, there were no answers other
than some private, "yes, we'd like that too."]

- Morty
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] secure firewall rule management program
    ... other two products claim to support multiple firewall vendors. ... The system should allow users to submit rule requests, ... be available to approvers and implementers. ... an individual, it belongs to "accounting". ...
    (Firewall-Wizards)
  • Re: Network Firewall/Routing Solution
    ... Cisco router w/ Firewall IOS, ... > not working properly at all with multiple network cards. ... > I will need to deal with inbound web and ftp requests from the ... > non-pasv connections. ...
    (comp.security.firewalls)
  • [fw-wiz] secure firewall rule management program
    ... Anyone have suggestions for a good, secure webified firewall rule ... Ie. the kind of thing where users submit requests ... for firewall holes and there's ... an individual, it belongs to "accounting". ...
    (Firewall-Wizards)
  • Re: IDS and SSL
    ... invalid requests not just detection. ... In English: attacks against ... The web application firewall ... Quite frankly I wouldn’t put a web server of any worth ...
    (Vuln-Dev)
  • Re: Network Firewall/Routing Solution
    ... >> firewall combo boxes that linksys sells, and I really don't want to run ... >> not working properly at all with multiple network cards. ... >> like Unicode and header information for http requests, ... >> non-pasv connections. ...
    (comp.security.firewalls)