[TriLUG] Ideas about centralized managagment iptables via SNMP traps
Glen Ford
gford at idiom.com
Wed Mar 20 10:10:05 EST 2002
Jon Carnes wrote:
>
> --- Original Message: Tuesday 19 March 2002 03:58 pm ---
> > Chris Hedemark [chris at yonderway.com] wrote:
> > > No thanks. Sounds too easily exploitable. The firewall box should be
> > > very paranoid about using external data sources to decide on whether to
> > > permit or deny traffic.
> > >
> > > BTW - How many firewalls do you need anyway? One firewall box can handle
> > > quite a few fast ethernet connections, and T1's are a piece of cake. I'm
> > > trying to understand your problem better and I'm wondering if the site
> > > really is so large to need so many firewalls or will just one really well
> > > configured firewall fit the bill?
>
> For a small company a single firewall is necessary and sufficient, but as a
> company grows they will begin to use specialized firewalls for various
> purposes. As they grow even larger, a company will bring in redundancy so
> that they can run their shop 24x7 with no down-time.
>
> At HAHT's Raleigh office we have 5 to 9 firewalls (depending on how liberal
> your definition of "firewall" is). Management of the lot can be a bit of a
> hassle. Throw into the mix all the firewall's at our remote sites, and we've
> got around 18 firewalls to manage.
>
> So what is there to manage? Traffic for one thing, and Routing for
> another. All our firewalls do routing and each has their own special routing
> task(s). Bring on a new segment to our WAN, and all the routing tables have
> to be updated.
>
> Also, we need to know what packages/apps are installed and *used* on each
> firewall. This last upgrade of SecureShell was a killer to me!
> Aside: Now I understand why folks really like rpms - and
> Red Hat Network! I just pushed an amendment to
> our budget for next year that will cover all our
> firewalls on RHN.
>
> >
> > Not only that... but the *last* thing you want to use for configuration of
> > a secure firewall is a configuration channel going over the most insecure
> > wide-open protocol known to man. =)
> >
> > I would think that if anything, you'd be better off doing some kind of
> > openssh tunneled thing.
>
> Agreed, you really wouldn't want to use SNMP. I'm sure there must be a
> simple way to move the information around using ssl or across a ssh
> connection.
>
> Jon
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
> http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
I am still collecting the ideas in the responses to formulate a summary
responses. As Jon noted the more firewalls you get there comes a point
where "some" system of management is needed. It could be simply a
singler server where the rules are under revision control and are pushed
via scp to the firewalls. Some of the things I see needing a centralized
view/management are:
1. For any given DMZ what is my policy and do the rules fit the policy?
I thought that a way of parsing the rules and giving
a html table of what is allowed to/from a particular firewall. The
presentation should be something a high level manager
could use.
2. At any given point in time how are my firewalls doing? Again once a
way to gather the info is established, it needs to be
roled up into a high level view and presented on a webpage.
3. If I fat finger a rule and lock out remote admin, what do I do? I
thought Compaq's lights-out card would solve this.
4. Will need get a loadbalancer for firewalls that keeps state and
hopefully does not require any network topology changes.
Side motivation. More and more I see the need to collect and correlate
data. To this end I am going to try to build Oracle
database on my server at home. Once built, I plan on mucking around with
populating the database with nmap output.
--
Glen Ford
gford at idiom.com
More information about the TriLUG
mailing list