Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Distributed FW/VPN & Mgt Modules

To: [email protected]
Subject: Re: [FW-1] Distributed FW/VPN & Mgt Modules
From: Matthias Leu <[email protected]>
Date: Tue, 20 Nov 2001 21:12:00 +0100
Organization: AERAsec Network Services and Security GmbH
References: <[email protected]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Hi,
I'm sure, you are not the first Administrator separating Management and
Firewall  ;-)

Chris H wrote:

> If I want to move from a single box running both the
> FW/VPN module and Management module to an appliance
> running the FW/VPN module and a separate box running
> the management module, how do I secure the MGT server?

Administrators often don't remember, that the Management-Module itself is
no Firewall - but it's very recommended to make this machine sure. If an
attacker "has" the Management of all Firewalls, the Administrator has
lost seriously.
Maybe Check Point Secure Server is the right choice for you. It's like a
Firewall, but without routing and for securing exactly one computer. It
has to be licensed separately, but the price is not soo high and the
security of the Management should be worth this.
"Protecting" the Management-Module by hiding it - I don't think, this is
the right way. Just think of internal attackers, co-workers in your
private network...
Hope it helps,
best regards,
Matthias

http://www.fw-1.de

>  If I didn?t run any other FW/VPNs with the all in one
> box I could just put the MGT server on the secure side
> of the FW and NAT the MGT server.  The hitch is that I
> manage and run a bunch of other distributed FW/VPN
> modules with this all in one box.  So if I change the
> management station to an internal NAT'd IP then the
> remote modules won't be able to be managed without the
> VPN being up first and if the VPN has a problem I
> can't manage it?  Has anyone done this before?  How
> was it handled?  The silence on this question has been
> deafening. I can't be the only one to try this.
>
> Thanks
> Chris
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
> http://geocities.yahoo.com/ps/info1
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Follow-Ups:
- Re: [FW-1] Distributed FW/VPN & Mgt Modules
  - From: Chris H <[email protected]>

References:
- [FW-1] Distributed FW/VPN & Mgt Modules
  - From: Chris H <[email protected]>

Prev by Date: [FW-1] Log problem.
Next by Date: Re: [FW-1] Log problem.
Previous by thread: [FW-1] Distributed FW/VPN & Mgt Modules
Next by thread: Re: [FW-1] Distributed FW/VPN & Mgt Modules
Index(es):
- Date
- Thread