Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Managing a lot of firewalls

To: "Aylton Souza, CISSP" <[email protected]>
Subject: Re: [FW1] Managing a lot of firewalls
From: Alexander Hoogerhuis <[email protected]>
Date: 01 May 2001 21:17:35 +0200
Cc: "Jason Stout" <[email protected]>, "Greg Winkler" <[email protected]>, <[email protected]>, <[email protected]>
In-reply-to: <004001c0cd44$31ac9cc0$aeb1ffc8@asouza>
References: <OF60DBB8C3.349A793F-ON86256A38.0054DA8B@huntsman> <004001c0cd44$31ac9cc0$aeb1ffc8@asouza>
Sender: [email protected]
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

I don't see it being a huge issue parsin object.C and genrating diffs
that can be distributed to other firewalls (or generate reports) on
what is different from other nodes that needs to have the same objects.

In my scenario I have 20-25 firewalls, all of which needs to interact
with a WAN where they should idealy use all the same objects, so why
not hack a few lines perl and make sure that people use the same basic
objects (networks, workstations and groups for starters)? As far as
I've peeked in the file it is fairly well strucutured.

Another angle is that we have a set of smaller firewalls which are
used temporarily for implementing projects, which have their rules
integrated into larger production-grade firewalls when the projects
actually know what they need (hands up anyone who has had software
project X come in and hand you a ruleset on day one, and had anything
remotely resmebling it when they are ready to go live with the
project? :) ). Having something like this in place, combined with
Sun's jumpstart allows you to stick one piece of Sun-kit in a plug and
do a "boot net - install" from the PROM, and come back 20 minutes
later to a firewall that has not only FW-1 installed, the OS hammered
down and all that, but also has a complete objects.C that gives them
all the stuff they need, along with a default rulebase.

cheers,
Alexander

"Aylton Souza, CISSP" <[email protected]> writes:

> Guys,
> 
> I have been through this before and my suggestion is: Don't do that unless
> you have a full unlimited license for aspirins and coffee. :)
> 
> Best wishes
> 
> Aylton
> ----- Original Message -----
> From: "Greg Winkler" <[email protected]>
> To: "Jason Stout" <[email protected]>
> Cc: <[email protected]>;
> <[email protected]>
> Sent: Tuesday, April 24, 2001 12:29 PM
> Subject: RE: [FW1] Managing a lot of firewalls
> 
> 
> >
> >
> > Jason,
> >
> > Could you elaborate on the suggestion to replicate the objects.c file
> > around? If I get the gist of what you suggest I would have one objects.c
> > file with all my network objects defined in it and have to manually move
> it
> > between several management stations? I would assume that I'd have to do
> the
> > same with my rulebase as well. Scares the hell out of me!
> >
> > --------------------------------------------------------------------------
> --------------
> >
> > Greg Winkler
> > Systems Manager, IT&S
> > Huntsman Corporation
> > Internet Mail: [email protected]
> > Voice:> > Fax:> >
> >
> >
> >
> >                     Jason Stout <[email protected]>
> >                     Sent by:                                        To:
> Greg Winkler/US/HO/HUNTSMAN@HUNTSMAN
> >                     [email protected]        cc:
> [email protected]
> >                     kpoint.com
> Subject:     RE: [FW1] Managing a lot of firewalls
> >
> >
> >                     04/21/2001 02:12 AM
> >
> >
> >
> >
> >
> >
> > With Provider each management client will have thier own objects.
> > Your essentially giving each customer or access point in your
> > case, thier own management stations. I don't think this would be
> > a good solution for what your looking to do.
> >
> > I'd suggest running all your firewalls on a couple of management
> > servers and replicate the objects.c to the other management
> > servers.
> >
> > -jason
> >
> > ------Original Message------
> > From: "Greg Winkler" <[email protected]>
> > To: [email protected]
> > Sent: April 20, 2001 7:27:20 PM GMT
> > Subject: [FW1] Managing a lot of firewalls
> >
> >
> >
> > A suggestion has been made that we move to an Internet access model that
> > involves firewalls and ISP connection points at many of our locations,
> > mostly in Europe. Can't give you an exact number but I would guess we are
> > talking about 30 or so firewalls.
> >
> > How would one manage so many? Right now we've got only 4 and management is
> > fairly simple using and Enterprise license. Can a single management
> station
> > manage 30 plus firewalls. I would expect probably not. What are the
> > options? I've heard of Provider-1, would that allow me to "manage"
> multiple
> > management stations such that I would still only have one set of network
> > objects and rulebase to maintain? Does it work well?
> >
> >
> > --------------------------------------------------------------------------
> --------------
> >
> >
> > Greg Winkler
> > Systems Manager, IT&S
> > Huntsman Corporation
> > Internet Mail: [email protected]
> > Voice:> > Fax:> >
> >
> >
> >
> >
> ============================================================================
> ====
> >
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> >
> ============================================================================
> ====
> >
> >
> >
> > -----------------------------------------------
> > FREE! The World's Best Email Address @email.com
> > Reserve your name now at http://www.email.com
> >
> >
> >
> >
> >
> ============================================================================
> ====
> >
> >      To unsubscribe from this mailing list, please see the instructions at
> >                http://www.checkpoint.com/services/mailing.html
> >
> ============================================================================
> ====
> >
> >
> >
> >
> >
> >
> >
> >
> >
> ============================================================================
> ====
> >      To unsubscribe from this mailing list, please see the instructions at
> >                http://www.checkpoint.com/services/mailing.html
> >
> ============================================================================
> ====
> >
> >
> 
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

-- 
Alexander Hoogerhuis
FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- Re: [FW1] Managing a lot of firewalls
  - From: "Aylton Souza, CISSP" <[email protected]>

Prev by Date: Re: [FW1] Passed CCSA.
Next by Date: AW: [FW1] unknown established tcp packet
Previous by thread: Re: [FW1] Managing a lot of firewalls
Next by thread: RE: [FW1] Managing a lot of firewalls
Index(es):
- Date
- Thread