Re: Rethinking the DMZ

[Harry Hoffman <hhoffman () IP-SOLUTIONS NET>]

With a combination of GPO under Windows, and
SSH/{puppet/cfengine/bcfg2}/Func/etc for *nix it becomes pretty easy to
manage large numbers of systems in a reasonable manner.

I would suspect that Justin's 25 servers per person might be on the low
end in our environments.

If you are running that many systems and aren't using something for
configuration management you've probably already run afoul of many
things, PCI being at least one of them.

Cheers,
Harry

On 09/06/2012 03:42 PM, Justin Azoff wrote:
> On Thu, Sep 06, 2012 at 01:53:48PM -0400, Haines, Ena wrote:
> > If the IT dept has 250 servers managed by 3 or 4 admins, then what?
> > Are any of your server admin teams happy with a system for managing
> > the "personal firewall" on each server? Can you set it locally and
> > forget it every time you deploy a new server? Don't your port
> > requirements change as ours do when there's an app upgrade or a
> > middleware upgrade, etc.?
> >
> > Some days it seems as though it's really about manageability.
>
> I don't run 250 systems, it's closer to 25, but I easily manage the
> firewall rulesets on multiple servers centrally with puppet.  Every
> service that needs a port opened pushes out a coresponding '.rules' file
> that gets dropped in /etc/firewall.d/.
>
> Since I set this up I haven't had to touch the firewall ruleset on an
> individual machine.