Firewall Wizards mailing list archives
Re: DISA eliminating firewalls
From: Tim Harris <tim () fbnservices us>
Date: Sat, 6 Jul 2013 09:06:11 -0700
The cited references are a certainly a step in the right direction but they seem to be only partway toward the concept I am thinking about. It is still necessary for the administrator to do a great deal of work and to manage the individual devices. I'd like to see something that abstracts it at least one more level. Imagine an environment containing dozens (or more) routers and firewalls/security devices. The operator should be able to define a single set of rules for permitted traffic, denied traffic, permitted/denied sources and destination. The system should be able to parse that into subsets and distribute them automatically. The admin should not have to examine each firewall individually. The McAfee product sheet states "The McAfee Firewall Enterprise Admin Console offers a basic environment for connecting to and managing one or more firewalls". That suggest that I must still manage each firewall individually. 10 firewalls = 10 devices to manage. The firewalls, routers, and switches should be viewed as one device: 100 firewalls + 200 routers = 1 rule set and 1 device to manage. If one of the firewalls is in a portion of the network that never sees a given range of traffic, then it doesn't need the applicable rules and the central console should figure that out and not push them. For example, a router in the public address space will never see a private address. It doesn't need to have all the rules about private devices. I apologize if I seem dense, perhaps I'm not explaining clearly. -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Patrick M. Hausen Sent: Friday, July 05, 2013 1:38 PM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] DISA eliminating firewalls Hi, Wizards, Am 05.07.2013 um 18:21 schrieb Tim Harris <tim () fbnservices us>:
I would argue that the next logical step in firewalls is a meta-firewall. Suppose that I have a large, distributed network with multiple firewalls and routers. I argue that a good firewall software ought to be able to treat that as a single administrative unit. .
In fact products like this have been around for quite a while. I don't quite remember if NAI had a central management/policy tool for the Gauntlet firewalls but I guess they did. At least Secure Computing had it in 2003 for the then announced Sidewinder G2 (partly Sidewinder, partly Gauntlet). Cyberguard, acquired by Secure Computing in 2005, already had it before 2005. Current McAfee product: http://www.mcafee.com/us/resources/data-sheets/ds-firewall-management.pdf Heck, Cisco has got it for ASA: http://www.cisco.com/en/US/products/ps6498/index.html Kind regards, Patrick -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 info () punkt de http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- DISA eliminating firewalls Paul D. Robertson (Jul 04)
- Re: DISA eliminating firewalls Árpád Magosányi (Jul 04)
- Re: DISA eliminating firewalls André Lima (Jul 04)
- Re: DISA eliminating firewalls Tim Harris (Jul 05)
- Re: DISA eliminating firewalls Patrick M. Hausen (Jul 06)
- Re: DISA eliminating firewalls Tim Harris (Jul 06)
- Re: DISA eliminating firewalls André Lima (Jul 04)
- Re: DISA eliminating firewalls Árpád Magosányi (Jul 04)
- <Possible follow-ups>
- Re: DISA eliminating firewalls Crispin Cowan (Jul 05)
- Re: DISA eliminating firewalls Claudio Telmon (Jul 06)
- Re: DISA eliminating firewalls Tim Harris (Jul 06)
- Re: DISA eliminating firewalls Crispin Cowan (Jul 06)
- Re: DISA eliminating firewalls Young,Greg (Jul 06)
- Re: DISA eliminating firewalls kent (Jul 08)
- Re: DISA eliminating firewalls James Wright (Jul 11)
- Re: DISA eliminating firewalls Gumennik, Mark J. (Jul 14)