Home page logo

basics logo Security Basics mailing list archives

RE: DMZ / Firewall rule diagramming
From: "Gaydosh, Adam" <GaydoshA () ctc com>
Date: Wed, 8 Dec 2004 10:48:04 -0500

Have you looked at Cisco ConfigMaker?  It is shareware, and although Cisco-centric, it does allow you to add other 


-----Original Message-----
From: Spigga [mailto:spigga () gmail com]
Sent: Tuesday, December 07, 2004 3:01 PM
To: Michael Gale
Cc: Craig Humphrey; security-basics () securityfocus com
Subject: Re: DMZ / Firewall rule diagramming

Man I had a meeting yesterday withg Solsoft and their application not
only gives you a very clear picture on the traffic but will configure
all the devices in the path to allow traffic by drawing the line.
Looks VERY nice, though so does the price....  I wish I could have
just the drawing part for free.

On Sun, 05 Dec 2004 22:47:20 -0700, Michael Gale
<michael.gale () bluesuperman com> wrote:

        I understand what you want now ... I don't believe 
this has every been
done as a standard.


Craig Humphrey wrote:
Hi Michael,

From the responses I'm getting, I don't think I explained 
the situation
very well.

I'm not after "how to write rules" or "what rules should I 
have".  I'm
looking for a generic way to diagram the rules I already have.
Preferably something nice a visual (like Visio), but even 
Visio starts
to get cumbersome with a complex DMZ, even breaking 
flows/rules into
layers only goes so far.

I was hoping that the industry had developed some formal 
standards for
diagramming DMZs and flows/rules.


-----Original Message-----
From: Michael Gale [mailto:michael.gale () bluesuperman com]
Sent: Monday, December 06, 2004 3:26 PM
To: Craig Humphrey; security-basics () securityfocus com
Subject: Re: DMZ / Firewall rule diagramming


     Check out some firewall appliances ... most of them
have some sort of

For example I used the following:

Connections from Internal to the DMZ are allowed if they 
match one of
the forward rules on the firewall.

The forward rules only allow packets from sources addresses to
destination addresses on specific ports which are ruled to be
a business

For connections coming from the DMZ to the internal 
network which are
required for business (Example. Postfix SMTP server to
forward mail on
to Exchange). The DMZ server connects to a proxy or a NATing rule.

DMZ server never know the IP of a internal server, the DMZ
network has
the same relations with the internal network as the 
external network
does with the DMZ.

So the DMZ mail server would connect it port 25 on the
firewall and that
traffic would get forwarded to the Exchange server.

That is the standard that I use ... was this what you were
looking for ?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]