[TriLUG] Ideas about centralized managagment iptables via SNMP traps

Jon Carnes jonc at nc.rr.com
Tue Mar 19 21:36:53 EST 2002 

 --- Original Message: Tuesday 19 March 2002 03:58 pm ---
> Chris Hedemark [chris at yonderway.com] wrote:
> > No thanks.  Sounds too easily exploitable.  The firewall box should be
> > very paranoid about using external data sources to decide on whether to
> > permit or deny traffic.
> >
> > BTW - How many firewalls do you need anyway?  One firewall box can handle
> > quite a few fast ethernet connections, and T1's are a piece of cake.  I'm
> > trying to understand your problem better and I'm wondering if the site
> > really is so large to need so many firewalls or will just one really well
> > configured firewall fit the bill?

For a small company a single firewall is necessary and sufficient, but as a 
company grows they will begin to use specialized firewalls for various 
purposes.  As they grow even larger, a company will bring in redundancy so 
that they can run their shop 24x7 with no down-time.

At HAHT's Raleigh office we have 5 to 9 firewalls (depending on how liberal 
your definition of "firewall" is).  Management of the lot can be a bit of a 
hassle.  Throw into the mix all the firewall's at our remote sites, and we've 
got around 18 firewalls to manage.

So what is there to manage?  Traffic for one thing, and Routing for 
another.  All our firewalls do routing and each has their own special routing 
task(s).  Bring on a new segment to our WAN, and all the routing tables have 
to be updated.  

Also, we need to know what packages/apps are installed and *used* on each 
firewall.  This last upgrade of SecureShell was a killer to me! 
  Aside: Now I understand why folks really like rpms - and
        Red Hat Network!  I just pushed an amendment to
        our budget for next year that will cover all our 
        firewalls on RHN.

>
> Not only that... but the *last* thing you want to use for configuration of
> a secure firewall is a configuration channel going over the most insecure
> wide-open protocol known to man.  =)
>
> I would think that if anything, you'd be better off doing some kind of
> openssh tunneled thing.

Agreed, you really wouldn't want to use SNMP.  I'm sure there must be a 
simple way to move the information around using ssl or across a ssh 
connection.

Jon

More information about the TriLUG mailing list