tag:blogger.com,1999:blog-6052049473368530632.post2092715312498826750..comments2023-03-22T12:20:16.347+01:00Comments on CP's Information Security Blog: Raw unrefined suggestion about firewall rulesChristophe Pradier-Pfeifferhttp://www.blogger.com/profile/00522262644702918775noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-6052049473368530632.post-61569986937169136382009-11-03T12:53:20.830+01:002009-11-03T12:53:20.830+01:00Yeah, it's a complex one and through yours and...Yeah, it's a complex one and through yours and Day's comments I think I should rather make a new article to put the idea more clearly.<br /><br />The idea is simply that an application would self-describe its requirements in terms of opening of networks. The local firewall would then collect those self-descriptions and set the corresponding rules.<br /><br />It would allow for a more granular setting of firewalling rules and also for an automated firewall configuration.<br /><br />This is at the "personnal firewall" level, but you could also imagine a centralized system that would allow for automatic configuration of the main corporate firewall, in agreement with a policy, of course.Christophe Pradier-Pfeifferhttps://www.blogger.com/profile/00522262644702918775noreply@blogger.comtag:blogger.com,1999:blog-6052049473368530632.post-53440679632452014232009-11-03T00:13:51.755+01:002009-11-03T00:13:51.755+01:00I am not sure I did understand the problem. You wa...I am not sure I did understand the problem. You want to be able to write rules like<br /><br />allow my_server run pgsql<br /><br />and have a config file that describe the connectivity needs of PostgreSQL, right?<br /><br />Well, after working a few years with OpenBSD's pf, I was able to accomplish something similar. Pf is worth learning, and the adoption of pf by FreeBSD is testimony to this :-)ketheriushttp://lasueta.infonoreply@blogger.comtag:blogger.com,1999:blog-6052049473368530632.post-18088536136148752192009-06-29T18:39:13.490+02:002009-06-29T18:39:13.490+02:00I am not sure about your meaning.
I mean to write ...I am not sure about your meaning.<br />I mean to write a single file that describes all the needs of the piece of software (positive rule) for each layer.<br />Then such files could be fed to the firewall for autoconfiguration.<br /><br />Of course, as you mentioned on the phone and as I long defended (also <a href="http://cpradier.blogspot.com/2009/01/firewall-is-not-security-device.html" rel="nofollow">in this blog</a>), only the man's job is real security. Firewall is only a help to shape the traffic, and this idea that I am proposing is only a help to configure the firewall.Christophe Pradier-Pfeifferhttps://www.blogger.com/profile/00522262644702918775noreply@blogger.comtag:blogger.com,1999:blog-6052049473368530632.post-7347131263364732542009-06-26T15:40:13.485+02:002009-06-26T15:40:13.485+02:00If you do this at the application layer, then the ...If you do this at the application layer, then the rules description will be on par with the open ports.<br /><br />This won't be an added layer of security :-|<br /><br />Am I wrong ?Daynoreply@blogger.com