Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: RE: DMZ / Firewall rule diagramming

RE: DMZ / Firewall rule diagramming

From: Jackson, Gary <Gary.Jackson_at_tectura.com>
Date: Tue, 7 Dec 2004 21:37:48 -0700

Checkpoint Visual Policy Editor offers some funtionality in that area,
but it's still limited. I haven't found any kind of rules-to-diagram
parser for i.e. iptables. Maybe time to write something.

-----Original Message-----
From: Craig Humphrey [mailto:Craig.Humphrey_at_chapmantripp.com]
Sent: Sun 12/5/2004 8:34 PM
To: security-basics_at_securityfocus.com
Cc: Michael Gale
Subject: RE: DMZ / Firewall rule diagramming
 
Hi Michael,

>From the responses I'm getting, I don't think I explained the situation
very well.

I'm not after "how to write rules" or "what rules should I have". I'm
looking for a generic way to diagram the rules I already have.
Preferably something nice a visual (like Visio), but even Visio starts
to get cumbersome with a complex DMZ, even breaking flows/rules into
layers only goes so far.

I was hoping that the industry had developed some formal standards for
diagramming DMZs and flows/rules.

Thanks
Craig

> -----Original Message-----
> From: Michael Gale [mailto:michael.gale_at_bluesuperman.com]
> Sent: Monday, December 06, 2004 3:26 PM
> To: Craig Humphrey; security-basics_at_securityfocus.com
> Subject: Re: DMZ / Firewall rule diagramming
>
> Hello,
>
> Check out some firewall appliances ... most of them
> have some sort of
> standard.
>
> For example I used the following:
>
> Connections from Internal to the DMZ are allowed if they match one of
> the forward rules on the firewall.
>
> The forward rules only allow packets from sources addresses to
> destination addresses on specific ports which are ruled to be
> a business
> requirement.
>
> For connections coming from the DMZ to the internal network which are
> required for business (Example. Postfix SMTP server to
> forward mail on
> to Exchange). The DMZ server connects to a proxy or a NATing rule.
>
> DMZ server never know the IP of a internal server, the DMZ
> network has
> the same relations with the internal network as the external network
> does with the DMZ.
>
> So the DMZ mail server would connect it port 25 on the
> firewall and that
> traffic would get forwarded to the Exchange server.
>
> That is the standard that I use ... was this what you were
> looking for ?
>
> Michael
Received on Dec 09 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]