Educause Security Discussion mailing list archives
Re: Rethinking the DMZ
From: Justin Azoff <JAzoff () ALBANY EDU>
Date: Thu, 6 Sep 2012 15:42:43 -0400
On Thu, Sep 06, 2012 at 01:53:48PM -0400, Haines, Ena wrote:
If the IT dept has 250 servers managed by 3 or 4 admins, then what? Are any of your server admin teams happy with a system for managing the "personal firewall" on each server? Can you set it locally and forget it every time you deploy a new server? Don't your port requirements change as ours do when there's an app upgrade or a middleware upgrade, etc.? Some days it seems as though it's really about manageability.
I don't run 250 systems, it's closer to 25, but I easily manage the firewall rulesets on multiple servers centrally with puppet. Every service that needs a port opened pushes out a coresponding '.rules' file that gets dropped in /etc/firewall.d/. Since I set this up I haven't had to touch the firewall ruleset on an individual machine. -- -- Justin Azoff -- Network Security & Performance Analyst
Current thread:
- Re: Rethinking the DMZ, (continued)
- Re: Rethinking the DMZ Harry Hoffman (Aug 30)
- Re: Rethinking the DMZ John Hoffoss (Aug 31)
- Re: Rethinking the DMZ Julian Y Koh (Sep 04)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ Haines, Ena (Sep 06)
- Re: Rethinking the DMZ John Ladwig (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Jeff Kell (Sep 06)
- Re: Rethinking the DMZ Mike Caudill (Sep 06)
- Re: Rethinking the DMZ Deke Kassabian (Sep 04)
- Re: Rethinking the DMZ David Byers (Sep 06)
- Re: Rethinking the DMZ Justin Azoff (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Aug 30)
- Re: Rethinking the DMZ Gary Flynn (Sep 06)
- Re: Rethinking the DMZ Harry Hoffman (Sep 06)