Network Monitoring in a Firewall Complex

DERY, FREDERIC frederic.dery at connexim.ca
Thu Mar 22 16:17:05 UTC 2001


See the approach described in the Cisco SAFE blueprint, this could be useful
for you.

http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm

Frédéric Déry


-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu]On Behalf Of
Tim Lund
Sent: 21 March 2001 12:46 PM
To: nanog at merit.edu
Subject: Network Monitoring in a Firewall Complex



All,

I have been tasked with architecthing a network monitoring/backup solution
for systems which reside within a firewall complex.  The firewall uses a
compartmentalized approach by placing systems which perform similar
functions in the same protective zone.  I have some ideas on how to
accomplish this.

I am leaning toward placing an additional interface into all of the systems
and creating a management network.  The management network would need to
maintian the compartmentalization approach so that a security failure on one
system would not allow the managment network to be used as a path of attack
to other systems.  Theoretcially I believe I could use a multilayer switch
to provide to control traffic between the interfaces on the management
network whil allowing for the management/backup servers to route to each
target host. The managment network would also allow backups and other
management activities without impacting the bandwidth of the production
network.

I would prefer not to design this in a vacuum and was
wondering how others have done this or any pitfalls if anyone has tried the
management network.  The solution needs to be scalable and manageable.  As
this falls within the realm of network security I am not sure how
forthcoming people will feel but I
would appreciate any and all assistance that you might be willing to
provide.












More information about the NANOG mailing list