Firewalls - Ease of Use and Maintenance?
Jimmy Hess
mysidia at gmail.com
Thu Nov 10 13:36:58 UTC 2011
On Wed, Nov 9, 2011 at 2:44 PM, Nick Hilliard <nick at foobar.org> wrote:
> On 09/11/2011 19:07, C. Jon Larsen wrote:
> As I said, it's not a pf problem. Commercial firewalls will do all this
> sort of thing off the shelf. It's a pain to have to write scripts to do this manually.
Ah... the high cost of 'free' products, you have to do some
scripting, or pay another organization to support it / do scripting
work for you. The advantage is... you _can_ do a small amount of
scripting or programming to add minor additional required
functionality. And a very large number commercial firewalls do not
have config synchronization, except, perhaps between a failover pair,
anyways.
Anyways... I can see synchronizing blacklists on a firewall, or
having a firewall configured to fetch certain 'drop' rules from a
HTTPS URL. Otherwise: the thought of mass synchronization of
lots of firewalls can be bad in that it creates a single point of
system compromise; supposing the synchronization source machine
were compromised, one dirty rule inserted by an intruder followed by
a kick off of the sync mechanism, and then actions to break
it/prevent further syncing, defeats the security of the entire
deployment....
--
-JH
More information about the NANOG
mailing list