Firewall Wizards mailing list archives
Re: firewall-wizards Digest, Vol 25, Issue 2
From: "Boni Bruno" <bbruno () dsw net>
Date: Fri, 2 May 2008 11:06:05 -0700
I do not know about a Cisco Security Manager clone, but have you looked PCONSOLE, you can get it free at: http://www.ka.sara.nl/home/walter//pconsole/ Since your using SSH anyways, your can use pconsole to simultaneously connect to say 10 ASA's, type what you need to, and submit the changes. 10 is just an arbitrary number, it's a really nice Linux tool. As long as your comfortable with Linux, this may be a nice way to go. It not only addresses ASA firewalls, you can use it to connect to switches, routers, Unix systems, etc. It can save you a lot of time... Regards, boni bruno 3. Cisco Security Manager clone? (Mike Davis) ------------------------------ Message: 3 Date: Wed, 30 Apr 2008 11:01:45 -0400 From: Mike Davis <mdavis () gsp net> Subject: [fw-wiz] Cisco Security Manager clone? To: "'firewall-wizards () listserv icsalabs com'" <firewall-wizards () listserv icsalabs com> Message-ID: <4009CF9A6B939540A8A8D80C32BF6A963FAB677222 () gadps-mail2 gadps net> Content-Type: text/plain; charset="us-ascii" This is my first posting so be gentle ;-) I have an environment that is all Cisco based firewalls for my edge protection and site to site vpns. I have a little over 100 remote sites running on ASA 5505's with an AES Tunnel to both the primary (HQ) and secondary (DR ) sites. It is working quite nicely and has been for years now but the problem I have is this... all my remote site firewalls are not centrally managed in the sense that I can make one change in a console and push it globally to all my remote firewalls so that when a change is required, I have to log into each and every one (I use SSH) and make the changes. I know that Cisco Security Manager will allow me to do that but at the 100K pricetag I was quoted from Cisco with the blink of an eye... I just cannot put that into my budget. Does anyone know of or can recommend any freeware or low-cost-ware application that will allow me to monitor and make global config changes without having to SSH to each one? The ability to segregate into groups and manage based upon groups would certainly be a plus as well but not a requirement. Thanks in advance! Mike Davis -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20 080430/8bb1803c/attachment-0001.html> ------------------------------ Message: 4 Date: Wed, 30 Apr 2008 15:49:40 -0400 From: "Marcus J. Ranum" <mjr () ranum com> Subject: Re: [fw-wiz] 10Gb Firewalls To: km4 () sanger ac uk, Firewall Wizards Security Mailing List <firewall-wizards () listserv icsalabs com>, Razeor <razeor () gmail com> Message-ID: <6.2.0.14.2.20080430153229.02a396b8 () ranum com> Content-Type: text/plain; charset="us-ascii" Kerry Milestone wrote:
Other than that, I guess the theories for firewalling are the same
whether it be 100Mb or 10Gb - the device just needs to handle it. Um, no. If you're letting 10Gb/sec through, there's no way you're doing any layer-7 analysis. If all you're doing is mostly below layer-7 then there's not much need for a "firewall" - you're really just using your firewall to implement something that's hardly more useful than a router ACL. I'm emphatically not saying router ACLs are bad - far from it - but you need to understand that most of the interesting action in security, nowadays, is taking place at layer-7.* For situations where "wire speed" is necessary, wire is the only technology that'll cut it. So, what you need to do is identify which services offer layer-7 security controls that you're comfortable with, and which can be addressed at layer-4, or whatever other layer. One useful conceptual framework is the "security stack"** - basically think of your security problems in detail in terms of where you're going to apply your controls: at what layer of the stack: 7) Policy 6) Practices 5) Applications 4) Proxies 3) IP Filtering and router ACLs 2) IP Stack Termination 1) Physical and VLAN/MAC filtering Arguably, there should be a layer 8 entitled "making it someone else's problem" (i.e.: risk arbitrage or indemnification) Anyway, let's suppose your problem is that you need to do "wire speed firewalling" of a web server. You can look at your applications mix and decide that you'll address security for everything except DNS and HTTP/SSL at security stack layer-3. Then you'll deal with HTTP/SSL at security stack layer-5 by locking down the server, chrooting it, and running on SElinux with restricted privs on your http/ssl daemon. And, perhaps you'll deal with DNS at security stack layer-6 by having someone responsible for keeping their ear to the ground for new DNS vulns and being prepared to react rapidly. That's just an example - I wouldn't recommend addressing DNS at security stack layer-6, but you get the idea. The point is to think about what services are going to bypass straight into your network (and why) and which are going to force-terminate at an application. Basically, it's just a doctrine of security design -- and "design" is what gets left out of security critical systems all too often. In fact "put a firewall in" is a security 'design' with vastly less attention to detail than a well-reasoned pieces/parts implementation where you've looked at each protocol and decided where in the computer security stack to deal with it. Last, but not least, you can layer defenses at multiple layers in the security stack (aka: "defense in depth") This approach is not a panacea; it's simply an organizing principle I've found useful when trying to explain "letting HTTP straight in through your firewall to Microsoft IIS is suicide" to executives. Bandwidth is not a property of security. It's a side-effect. mjr. (* and above) (** this brilliant idea is not mine. I've forgotten whose it was, or I'd credit.) ------------------------------ Message: 5 Date: Wed, 30 Apr 2008 15:52:35 -0400 From: "Marcus J. Ranum" <mjr () ranum com> Subject: Re: [fw-wiz] 10Gb Firewalls To: Firewall Wizards Security Mailing List <firewall-wizards () listserv icsalabs com> Message-ID: <6.2.0.14.2.20080430155011.02a61a38 () ranum com> Content-Type: text/plain; charset="us-ascii" dgorin () computer org wrote:
- Full security come as no traffic flow (look at the Ultimate Firewall
TM of Marcus J. Ranum)
Sorry, I've discontinued that. It's an "Intrusion Prevention System" now. See: http://www.ranum.com/security/computer_security/papers/a1-firewall/index .html for the petabyte-capable version. My diesel-powered firewall is here: http://www.ranum.com/fun/bsu/ultimatefirewall/index.html mjr. ------------------------------ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards End of firewall-wizards Digest, Vol 25, Issue 2 *********************************************** This message has been scanned for malware by SurfControl plc. www.surfcontrol.com _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: firewall-wizards Digest, Vol 25, Issue 2 Boni Bruno (May 07)