Firewall Management

["Safier, Adam (GEIS)" <Adam.Safier () geis ge com>]

OK, let me kick off potential discussion on this list by asking

How are people managing remote firewalls in LARGE distributed networks?


Say 100 firewalls minimum on 35 Networks with several layers of
firewalled subnets/extranets with slight variations in policy.  

After installing the box and turning on the power I'm interested in:

- Centralized management of policy  (Policy should not change
frequently.)

- Local control of authorization for individual users (You and your boss
know what you need to access for your job.)

- An option for central control of individual authorization or cross
realm authorization.

- Central control of degrees of authorization (Authorize the authorizers
to selected systems.)  

- Centralized activity reports, alarm handling, other log analysis.  AI
based intrusion detection would be real nice.

- Log archiving.

- Attack reaction tools - At the touch of a button the system notifies
CERT, archives relevant logs, tries to trace to the attack source
(CARS*), shuts down access to compromised systems and makes me a cup of
hot chocolate.

Add your favorite requirements here....................

How many people do you need to manage a real life network with 100
firewalls?  1000 firewalls?

What part of 1000 firewalls can be managed centrally and what must be
managed locally? 

Next year I will try to answer my own questions.
Adam

* CARS - "Cooperative Attack Reaction Systems".  Would system managers
be willing to run a daemon that on a request from a "trusted partner"
would trace the account and source of a connection?  Trusted partners
would trade keys to keep access to the application secure.  If my system
is attacked from your system I send you a CARS request to track the
origin of the attack within your system.  You come up with account info
+ whether this session is really being run over a link.  If it's coming
in over a link you pass a CARS request down the link.  Within seconds
the attack is traced through 73 hops, 4 satellites and across 7
continents to the attackers home system and the police are notified.
They trust CARS totally and turn on their null-Green Ray which causes
the video display to emit in one burst all the green PC energy it saved
over years of being left on overnight.  My attacker is fried!    It's
strictly imagination ware at this time.  Anyone out there with some
spare development change?


---------------
Adam Safier,  Network Engineer/Security Consultant
GE Information Services, Inc.
401 North Washington St., Rockville, Md. 20850
Ph: 301-340-5737    Internal: 8*273-5737   Fax: 301-340-4005
Adam.Safier () geis ge com        http://www.geis.com

I'm proud to live in a country where I can express my personal opinions.
The opinions above may not be shared by my employer.
---------------