Re: DISA eliminating firewalls

[Tim Harris <tim () fbnservices us>]

The cited references are a certainly a step in the right direction but they seem to be only partway toward the concept 
I am thinking about.  It is still necessary for the administrator to do a great deal of work and to manage the 
individual devices.  I'd like to see something that abstracts it at least one more level.

Imagine an environment containing dozens (or more) routers and firewalls/security devices.  The operator should be able 
to define a single set of rules for permitted traffic, denied traffic, permitted/denied sources and destination.  The 
system should be able to parse that into subsets and distribute them automatically.  The admin should not have to 
examine each firewall individually.

The McAfee product sheet states "The McAfee Firewall Enterprise Admin Console offers a basic environment for connecting 
to and managing one or more firewalls".  That suggest that I must still manage each firewall individually.  10 
firewalls = 10 devices to manage.  The firewalls, routers, and switches should be viewed as one device: 100 firewalls + 
200 routers = 1 rule set and 1 device to manage.

If one of the firewalls is in a portion of the network that never sees a given range of traffic, then it doesn't need 
the applicable rules and the central console should figure that out and not push them.  For example, a router in the 
public address space will never see a private address.  It doesn't need to have all the rules about private devices.

I apologize if I seem dense, perhaps I'm not explaining clearly.

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On 
Behalf Of Patrick M. Hausen
Sent: Friday, July 05, 2013 1:38 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] DISA eliminating firewalls

Hi, Wizards,

Am 05.07.2013 um 18:21 schrieb Tim Harris <tim () fbnservices us>:
> I would argue that the next logical step in firewalls is a meta-firewall.
> Suppose that I have a large, distributed network with multiple firewalls and routers.
> I argue that a good firewall software ought to be able to treat that as a single administrative unit.
> .


In fact products like this have been around for quite a while.

I don't quite remember if NAI had a central management/policy tool for the Gauntlet firewalls but I guess they did.

At least Secure Computing had it in 2003 for the then announced Sidewinder G2 (partly Sidewinder, partly Gauntlet).

Cyberguard, acquired by Secure Computing in 2005, already had it before 2005.

Current McAfee product:
http://www.mcafee.com/us/resources/data-sheets/ds-firewall-management.pdf

Heck, Cisco has got it for ASA:
http://www.cisco.com/en/US/products/ps6498/index.html

Kind regards,
Patrick
--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100
info () punkt de       http://www.punkt.de
Gf: Jürgen Egeling      AG Mannheim 108285



_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards