[146374] in North American Network Operators' Group
Re: Firewalls - Ease of Use and Maintenance?
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Thu Nov 10 08:37:09 2011
In-Reply-To: <4EBAE62E.5090706@foobar.org>
Date: Thu, 10 Nov 2011 07:36:58 -0600
From: Jimmy Hess <mysidia@gmail.com>
To: Nick Hilliard <nick@foobar.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Nov 9, 2011 at 2:44 PM, Nick Hilliard <nick@foobar.org> wrote:
> On 09/11/2011 19:07, C. Jon Larsen wrote:
> As I said, it's not a pf problem. =A0Commercial firewalls will do all thi=
s
> sort of thing off the shelf. =A0It's a pain to have to write scripts to d=
o this manually.
Ah... the high cost of 'free' products, you have to do some
scripting, or pay another organization to support it / do scripting
work for you. The advantage is... you _can_ do a small amount of
scripting or programming to add minor additional required
functionality. And a very large number commercial firewalls do not
have config synchronization, except, perhaps between a failover pair,
anyways.
Anyways... I can see synchronizing blacklists on a firewall, or
having a firewall configured to fetch certain 'drop' rules from a
HTTPS URL. Otherwise: the thought of mass synchronization of
lots of firewalls can be bad in that it creates a single point of
system compromise; supposing the synchronization source machine
were compromised, one dirty rule inserted by an intruder followed by
a kick off of the sync mechanism, and then actions to break
it/prevent further syncing, defeats the security of the entire
deployment....
--
-JH
