1

During design-time before a build-out, I currently create an excel file version of a firewall rulebase (policy) representing source/target/port/protocol/etc definitions before being pushed to the vendor-specific firewall devices.

Question: Is there an approach to do FISMA/NIST/CIS analysis of that rulebase prior to deploying? I see a lot of analysis tools are for active-integration directly into the firewall devices, and/or doing log analysis after they have been running a while. In trying to be proactive, is there an approach during design-time to catch any obvious gotchas?

schroeder
  • 123,438
  • 55
  • 284
  • 319
dhartford
  • 131
  • 3
  • Static analysis testing of rule sets will depend on the vendor because the language used will differ. There are iptables analysis tools, for instance, because the syntax is well-known, but I'm not sure that there will be a tool that ingests Excel spreadsheets. – schroeder Mar 16 '17 at 15:56
  • hmm, that would be a feasible approach - in fact injection to any software-based firewall so there is a common convention for the compliance-focused analysis tool would be reasonable assuming can swap at a whim for different rulebases/policies (i.e. agile/iterative design review) as long as doesn't require log / flow traffic observations. – dhartford Mar 17 '17 at 12:32

0 Answers0