Re: DMZ / Firewall rule diagramming
From: Spigga (spigga_at_gmail.com)
Date: Tue, 7 Dec 2004 14:00:39 -0600 To: Michael Gale <email@example.com>
Man I had a meeting yesterday withg Solsoft and their application not
only gives you a very clear picture on the traffic but will configure
all the devices in the path to allow traffic by drawing the line.
Looks VERY nice, though so does the price.... I wish I could have
just the drawing part for free.
On Sun, 05 Dec 2004 22:47:20 -0700, Michael Gale
> I understand what you want now ... I don't believe this has every been
> done as a standard.
> Craig Humphrey wrote:
> > Hi Michael,
> > From the responses I'm getting, I don't think I explained the situation
> > very well.
> > I'm not after "how to write rules" or "what rules should I have". I'm
> > looking for a generic way to diagram the rules I already have.
> > Preferably something nice a visual (like Visio), but even Visio starts
> > to get cumbersome with a complex DMZ, even breaking flows/rules into
> > layers only goes so far.
> > I was hoping that the industry had developed some formal standards for
> > diagramming DMZs and flows/rules.
> > Thanks
> > Craig
> >>-----Original Message-----
> >>From: Michael Gale [mailto:firstname.lastname@example.org]
> >>Sent: Monday, December 06, 2004 3:26 PM
> >>To: Craig Humphrey; email@example.com
> >>Subject: Re: DMZ / Firewall rule diagramming
> >> Check out some firewall appliances ... most of them
> >>have some sort of
> >>For example I used the following:
> >>Connections from Internal to the DMZ are allowed if they match one of
> >>the forward rules on the firewall.
> >>The forward rules only allow packets from sources addresses to
> >>destination addresses on specific ports which are ruled to be
> >>a business
> >>For connections coming from the DMZ to the internal network which are
> >>required for business (Example. Postfix SMTP server to
> >>forward mail on
> >>to Exchange). The DMZ server connects to a proxy or a NATing rule.
> >>DMZ server never know the IP of a internal server, the DMZ
> >>network has
> >>the same relations with the internal network as the external network
> >>does with the DMZ.
> >>So the DMZ mail server would connect it port 25 on the
> >>firewall and that
> >>traffic would get forwarded to the Exchange server.
> >>That is the standard that I use ... was this what you were
> >>looking for ?