Re: DMZ / Firewall rule diagramming
From: Spigga (spigga_at_gmail.com)
Date: 12/07/04
- Previous message: Mike: "Re: HardDisk Password recovery."
- In reply to: Michael Gale: "Re: DMZ / Firewall rule diagramming"
- Next in thread: Spigga: "Re: DMZ / Firewall rule diagramming"
- Reply: Spigga: "Re: DMZ / Firewall rule diagramming"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 7 Dec 2004 14:00:39 -0600 To: Michael Gale <michael.gale@bluesuperman.com>
Man I had a meeting yesterday withg Solsoft and their application not
only gives you a very clear picture on the traffic but will configure
all the devices in the path to allow traffic by drawing the line.
Looks VERY nice, though so does the price.... I wish I could have
just the drawing part for free.
On Sun, 05 Dec 2004 22:47:20 -0700, Michael Gale
<michael.gale@bluesuperman.com> wrote:
> Hello,
>
> I understand what you want now ... I don't believe this has every been
> done as a standard.
>
> Michael.
>
> Craig Humphrey wrote:
> > Hi Michael,
> >
> > From the responses I'm getting, I don't think I explained the situation
> > very well.
> >
> > I'm not after "how to write rules" or "what rules should I have". I'm
> > looking for a generic way to diagram the rules I already have.
> > Preferably something nice a visual (like Visio), but even Visio starts
> > to get cumbersome with a complex DMZ, even breaking flows/rules into
> > layers only goes so far.
> >
> > I was hoping that the industry had developed some formal standards for
> > diagramming DMZs and flows/rules.
> >
> > Thanks
> > Craig
> >
> >
> >
> >>-----Original Message-----
> >>From: Michael Gale [mailto:michael.gale@bluesuperman.com]
> >>Sent: Monday, December 06, 2004 3:26 PM
> >>To: Craig Humphrey; security-basics@securityfocus.com
> >>Subject: Re: DMZ / Firewall rule diagramming
> >>
> >>Hello,
> >>
> >> Check out some firewall appliances ... most of them
> >>have some sort of
> >>standard.
> >>
> >>For example I used the following:
> >>
> >>Connections from Internal to the DMZ are allowed if they match one of
> >>the forward rules on the firewall.
> >>
> >>The forward rules only allow packets from sources addresses to
> >>destination addresses on specific ports which are ruled to be
> >>a business
> >>requirement.
> >>
> >>For connections coming from the DMZ to the internal network which are
> >>required for business (Example. Postfix SMTP server to
> >>forward mail on
> >>to Exchange). The DMZ server connects to a proxy or a NATing rule.
> >>
> >>DMZ server never know the IP of a internal server, the DMZ
> >>network has
> >>the same relations with the internal network as the external network
> >>does with the DMZ.
> >>
> >>So the DMZ mail server would connect it port 25 on the
> >>firewall and that
> >>traffic would get forwarded to the Exchange server.
> >>
> >>That is the standard that I use ... was this what you were
> >>looking for ?
> >>
> >>Michael
>
- Previous message: Mike: "Re: HardDisk Password recovery."
- In reply to: Michael Gale: "Re: DMZ / Firewall rule diagramming"
- Next in thread: Spigga: "Re: DMZ / Firewall rule diagramming"
- Reply: Spigga: "Re: DMZ / Firewall rule diagramming"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
