[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] FW and management console design opinions
Hi, all. I'm considering a new site installation for a potential client and I'm considering different ways in which to integrate a FW/VPN cluster with both my management console (no FW module) and theirs. I know of two ways to do this which would fit the bill but I'm curious to determine if I have over-looked anything or if anyone else has an interesting solution. 1. EMC on the outside of the FW, protected with border router ACLs and a hardened OS. This allows the EMC to push policy and collect log data from the external interfaces of the remote FW/VPN nodes. This was good in the past when VPN state wasn't saved during policy pushes and you really trusted the hardening of the base OS and router ACLs. 2. EMC NATted through one FW and pushing/pulling from the remote nodes and pushing/polling from an internal interface of the local FW. This is nice because it protects the EMC with the FW but adds at least one policy rule and two NAT rules to what could already be a large rule set. Anyone have any interesting comments or ideas? Chris ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|