[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Distributed FW/VPN & Mgt Modules
Not quite a fit to use secure server, but thanks. I think that I will move the management server to a public IP that is on a secure segment off of the FW server and protect it that way. It will take a lot of work to reconfigure all of the FW modules that I have globally to see the new MGT server as the new master, but as I said, I don't get much feedback. I'm in uncharted water. --- Matthias Leu <[email protected]> wrote: > Hi, > I'm sure, you are not the first Administrator > separating Management and > Firewall ;-) > > Chris H wrote: > > > If I want to move from a single box running both > the > > FW/VPN module and Management module to an > appliance > > running the FW/VPN module and a separate box > running > > the management module, how do I secure the MGT > server? > > Administrators often don't remember, that the > Management-Module itself is > no Firewall - but it's very recommended to make this > machine sure. If an > attacker "has" the Management of all Firewalls, the > Administrator has > lost seriously. > Maybe Check Point Secure Server is the right choice > for you. It's like a > Firewall, but without routing and for securing > exactly one computer. It > has to be licensed separately, but the price is not > soo high and the > security of the Management should be worth this. > "Protecting" the Management-Module by hiding it - I > don't think, this is > the right way. Just think of internal attackers, > co-workers in your > private network... > Hope it helps, > best regards, > Matthias > > http://www.fw-1.de > > > If I didn?t run any other FW/VPNs with the all in > one > > box I could just put the MGT server on the secure > side > > of the FW and NAT the MGT server. The hitch is > that I > > manage and run a bunch of other distributed FW/VPN > > modules with this all in one box. So if I change > the > > management station to an internal NAT'd IP then > the > > remote modules won't be able to be managed without > the > > VPN being up first and if the VPN has a problem I > > can't manage it? Has anyone done this before? > How > > was it handled? The silence on this question has > been > > deafening. I can't be the only one to try this. > > > > Thanks > > Chris > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! GeoCities - quick and easy web site > hosting, just $8.95/month. > > http://geocities.yahoo.com/ps/info1 > > > > =============================================== > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > =============================================== > > =============================================== > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > =============================================== __________________________________________________ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|