[TriLUG] Ideas about centralized managagment iptables via SNMP traps

Wed Mar 20 10:10:05 EST 2002

Jon Carnes wrote:
> 
>  --- Original Message: Tuesday 19 March 2002 03:58 pm ---
> > Chris Hedemark [chris at yonderway.com] wrote:
> > > No thanks.  Sounds too easily exploitable.  The firewall box should be
> > > very paranoid about using external data sources to decide on whether to
> > > permit or deny traffic.
> > >
> > > BTW - How many firewalls do you need anyway?  One firewall box can handle
> > > quite a few fast ethernet connections, and T1's are a piece of cake.  I'm
> > > trying to understand your problem better and I'm wondering if the site
> > > really is so large to need so many firewalls or will just one really well
> > > configured firewall fit the bill?
> 
> For a small company a single firewall is necessary and sufficient, but as a
> company grows they will begin to use specialized firewalls for various
> purposes.  As they grow even larger, a company will bring in redundancy so
> that they can run their shop 24x7 with no down-time.
> 
> At HAHT's Raleigh office we have 5 to 9 firewalls (depending on how liberal
> your definition of "firewall" is).  Management of the lot can be a bit of a
> hassle.  Throw into the mix all the firewall's at our remote sites, and we've
> got around 18 firewalls to manage.
> 
> So what is there to manage?  Traffic for one thing, and Routing for
> another.  All our firewalls do routing and each has their own special routing
> task(s).  Bring on a new segment to our WAN, and all the routing tables have
> to be updated.
> 
> Also, we need to know what packages/apps are installed and *used* on each
> firewall.  This last upgrade of SecureShell was a killer to me!
>   Aside: Now I understand why folks really like rpms - and
>         Red Hat Network!  I just pushed an amendment to
>         our budget for next year that will cover all our
>         firewalls on RHN.
> 
> >
> > Not only that... but the *last* thing you want to use for configuration of
> > a secure firewall is a configuration channel going over the most insecure
> > wide-open protocol known to man.  =)
> >
> > I would think that if anything, you'd be better off doing some kind of
> > openssh tunneled thing.
> 
> Agreed, you really wouldn't want to use SNMP.  I'm sure there must be a
> simple way to move the information around using ssl or across a ssh
> connection.
> 
> Jon
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
I am still collecting the ideas in the responses to formulate a summary
responses. As Jon noted the more firewalls you get there comes a point
where "some" system of management is needed. It could be simply a
singler server where the rules are under revision control and are pushed
via scp to the firewalls. Some of the things I see needing a centralized
view/management are:
	1. For any given DMZ what is my policy and do the rules fit the policy?
I thought that a way of parsing the rules and giving
	   a html table of what is allowed to/from a particular firewall. The
presentation should be something a high level manager
	   could use.

	2. At any given point in time how are my firewalls doing? Again once a
way to gather the info is established, it needs to be
	   roled up into a high level view and presented on a webpage.

	3. If I fat finger a rule and lock out remote admin, what do I do?  I
thought Compaq's lights-out card would solve this.

	4. Will need get a loadbalancer for firewalls that keeps state and
hopefully does not require any network topology changes.

Side motivation. More and more I see the need to collect and correlate
data. To this end I am going to try to build Oracle
database on my server at home. Once built, I plan on mucking around with
populating the database with nmap output.

-- 
Glen Ford
gford at idiom.com