Educause Security Discussion mailing list archives

Re: Rethinking the DMZ

From: Justin Azoff <JAzoff () ALBANY EDU>
Date: Thu, 6 Sep 2012 15:42:43 -0400

On Thu, Sep 06, 2012 at 01:53:48PM -0400, Haines, Ena wrote:

If the IT dept has 250 servers managed by 3 or 4 admins, then what?
Are any of your server admin teams happy with a system for managing
the "personal firewall" on each server? Can you set it locally and
forget it every time you deploy a new server? Don't your port
requirements change as ours do when there's an app upgrade or a
middleware upgrade, etc.?

Some days it seems as though it's really about manageability.


I don't run 250 systems, it's closer to 25, but I easily manage the
firewall rulesets on multiple servers centrally with puppet.  Every
service that needs a port opened pushes out a coresponding '.rules' file
that gets dropped in /etc/firewall.d/.

Since I set this up I haven't had to touch the firewall ruleset on an
individual machine.

-- 
-- Justin Azoff
-- Network Security & Performance Analyst

Current thread:

Re: Rethinking the DMZ, (continued)
- Re: Rethinking the DMZ Harry Hoffman (Aug 30)
  - Re: Rethinking the DMZ John Hoffoss (Aug 31)
- Re: Rethinking the DMZ Julian Y Koh (Sep 04)
  - Re: Rethinking the DMZ Deke Kassabian (Sep 04)
    - Re: Rethinking the DMZ Haines, Ena (Sep 06)
    - Re: Rethinking the DMZ John Ladwig (Sep 06)
    - Re: Rethinking the DMZ Mike Caudill (Sep 06)
    - Re: Rethinking the DMZ Jeff Kell (Sep 06)
    - Re: Rethinking the DMZ Mike Caudill (Sep 06)
    - Re: Rethinking the DMZ David Byers (Sep 06)
    - Re: Rethinking the DMZ Justin Azoff (Sep 06)
    - Re: Rethinking the DMZ Harry Hoffman (Sep 06)
    - Re: Rethinking the DMZ Gary Flynn (Sep 06)
- Re: Rethinking the DMZ Brian Helman (Sep 10)
- Re: Rethinking the DMZ Joe St Sauver (Sep 06)
  - Re: Rethinking the DMZ Harry Hoffman (Sep 06)