[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Managing Multiple FireWalls.
Hi there, I have nine Check Point firewalls that I'm trying to manage and am looking for comments on how best to deploy a manageable management framework. All of the firewalls bar one are deployed in pairs for redundancy; the pairs are geographically dispersed but connected via a Wide Area Network, each pair of firewalls currently has its own Rulebase, each Rulebase is in excess of 90 rules due to Security infrastructure design which limits traffic on a per host rather than per network basis. There are a number of small improvements that could be made here, however none that would significantly change the number of rules. Additionally we have Cisco routers with ACL's and IOS firewall to contend with. Possibly an OSE will allow us to deploy and update ACL's although I dont recall if the OSE supports 12.x yet. IOS firewall is still going to have to be configured manually (sucky!). Other security tools in place include a real mismatch of various logging servers, reporting tools, monitoring tools and IDS systems. It was recently suggested that we combine all the rulesets into one, however to do so would create a rule base that would be more difficult to understand (according to CP the hashing methodology across the v4.x and later kernel has greately increased performance of Rulebase lookups). Also, we then have issues surrounding performance of logging information across the WAN etc which, for example, could be solved with Client Logging Modules closer to the enforcement modules. I'm very interested to see comments on how people would best manage this environment. Thanks in Advance Greg ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|