Firewalls - Ease of Use and Maintenance?

Jimmy Hess mysidia at gmail.com
Thu Nov 10 13:36:58 UTC 2011


On Wed, Nov 9, 2011 at 2:44 PM, Nick Hilliard <nick at foobar.org> wrote:
> On 09/11/2011 19:07, C. Jon Larsen wrote:
> As I said, it's not a pf problem.  Commercial firewalls will do all this
> sort of thing off the shelf.  It's a pain to have to write scripts to do  this manually.

Ah... the high cost of  'free' products,  you have to do some
scripting, or pay another organization to support it / do scripting
work for you.  The advantage is... you _can_ do a small amount of
scripting or programming to add minor additional required
functionality.   And a very large number commercial firewalls do not
have config synchronization, except,  perhaps between a failover pair,
anyways.

Anyways...   I can see synchronizing blacklists on a firewall,   or
having a firewall configured to fetch certain 'drop' rules from a
HTTPS URL.        Otherwise:  the thought of  mass synchronization of
lots of firewalls can be bad in that it creates a single point of
system compromise;  supposing  the synchronization source  machine
were compromised,  one dirty rule inserted by an intruder followed by
a kick off of the sync mechanism,  and then actions to break
it/prevent further syncing, defeats the security of the entire
deployment....

--
-JH




More information about the NANOG mailing list