| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] FW and management console design opinions
Hi, all. I'm considering a new site installation for a potential client and
I'm considering different ways in which to integrate a FW/VPN cluster with
both my management console (no FW module) and theirs. I know of two ways to
do this which would fit the bill but I'm curious to determine if I have
over-looked anything or if anyone else has an interesting solution.
1. EMC on the outside of the FW, protected with border router ACLs and a
hardened OS. This allows the EMC to push policy and collect log data from
the external interfaces of the remote FW/VPN nodes. This was good in the
past when VPN state wasn't saved during policy pushes and you really trusted
the hardening of the base OS and router ACLs.
2. EMC NATted through one FW and pushing/pulling from the remote nodes and
pushing/polling from an internal interface of the local FW. This is nice
because it protects the EMC with the FW but adds at least one policy rule
and two NAT rules to what could already be a large rule set.
Anyone have any interesting comments or ideas?
Chris
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
