Re: Enterprise Management Software for PIX
- From: roberson@xxxxxxxxxxxxxxxxxx (Walter Roberson)
- Date: Wed, 24 Aug 2005 18:09:07 +0000 (UTC)
In article <MPG.1d76c99b539c5b869896a9@xxxxxxxxxxxxxxx>,
Ivan <vina.bfgerf@xxxxxxxxxxx> wrote:
:In article <1124901915.979750.3790@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
:david_c_fields@xxxxxxxxxxx says...
:> I'm looking for some recommendations for software which could manage a
:> fairly large deployment of PIX firewalls (100-200). Management of
:> these would include security policy and configuration management
:> (development, archiving, deployment, auditing). Any help would be
:> greatly appreciated! Open source and commercial products are
:> considered.
:Well, this is exactly the description of a Cisco VMS solution
:http://www.cisco.com/en/US/products/sw/cscowork/ps2330/index.html.
For integrated enterprise-class software, the other company you
should look at is solsoft.com -- the SolSoft Policy Server 7 for
company-wide management with multiple functional administrative
roles (e.g., if you want to be able to appoint departmental-level
security admins), and the SolSoft Firewall Manager for single-user
administation.
I haven't priced the SolSoft Firewall Manager; the Policy Server was
several times as expensive as Cisco's VMS.
I had a careful look at Cisco's VMS and compared it to my home-grown
tools. I found that VMS had almost exactly the same limitations as
my home-grown tools did. The one thing that VMS had going for it
that my tools don't have, is that VMS knows how to talk to the
undocumented API used by PDM, and so VMS is able to "reliably" update
remote firewalls.
If you were to try to use the CLI to update a remote firewall -through-
a VPN link to the firewall, then you would run into consistancy
problems when you update the 'match address' ACL: after you change
the ACL, PIX 6 goes into an inconsistant state in which it might
refuse to pass traffic through any of the existing or new SA's
(security associations), and this inconsistancy lasts until you
"clear ipsec sa"... which causes your VPN connection to drop and
take a few seconds to rebuild, which ruins your tftp of the new config :(
You usually can't just solve this problem by leaving tftp traffic
off of your VPN (unprotected), because ISP filters often block tftp...
and that's not even considering the security factor of not wanting
your firewall configuration to be transmitted in the clear.
VMS, by going through a different port, is supposed to be able to
handle reliable updates. I didn't stress-test this. In my particular case,
I could have removed the pdm port from the VPN (it uses SSL anyhow
so not a big security problem), but in other cases the pdm port might
also be blocked.
But that was the -only- real advantage to VMS compared to what I had
already. The VMS GUI is slow and not particularily well organized.
And the strict hierarchical structure of inheritance of properties
leaves you needing to develop ruleset hacks in exactly the same
way that I was already using for my home-grown tools.
For example, under Cisco's VMS, if you want to allow system X in one
firewall to ftp to system Y in another firewall, you have to add the
outgoing ftp rule to X's firewall, and you have to add the incoming ftp
rule to Y's firewall -- and if there is NAT involved, you have to
take all the NAT into configuration manually.
I looked at the SolSoft product's specs, and (at least on paper) the
product is beautiful. The SolSoft product allows policy creation,
and it automatically figures out the set of rules needed to implement
the policies on each firewall... and exactly the same policybase can
be used to export to several different brands and software revs of
firewalls (e.g., if you wanted to swap a PIX for another brand, all
you would have to do is tell the software what the brand was, and
it would create the whole equivilent configuration.)
I posted a laundry-list of features I was hoping to find in a
firewall management system, and I found that SolSoft covered pretty
much all of the features... but that VMS was not nearly as
useful for -my- purposes.
http://groups.google.ca/group/comp.dcom.sys.cisco/msg/b32cb8893768cc2c
Unfortunately, my management hasn't been able to find the money for
Solsoft's product :( It looks like that if I'd had it a couple of years
ago, I would have saved a minimum of 4 months of work over 2 years...
and that's with only 6 firewalls.
But a lot depends on how complex your rules are. If you have
a real hub-and-spoke operation in which you can very narrowly
define the traffic between the spokes and the hub, and the spokes
don't need to talk to each other and the hub doesn't need to talk much
to the spokes, and the spokes essentially don't have any "unique
circumstances", then VMS might be fine for managing ~100 near-clone
configurations. It happens that in our situation we are closer to
"distributed computing" than to centralized computing, so our
intra-office flows get messy, and VMS just isn't suited for that.
--
"Never install telephone wiring during a lightning storm." -- Linksys
.
- Follow-Ups:
- Re: Enterprise Management Software for PIX
- From: dfields
- Re: Enterprise Management Software for PIX
- References:
- Enterprise Management Software for PIX
- From: dfields
- Re: Enterprise Management Software for PIX
- From: Ivan
- Enterprise Management Software for PIX
- Prev by Date: Dinamyc and static nat whit only one public ip address?
- Next by Date: Re: CSS 11501 - How do I blow away the config and start over?
- Previous by thread: Re: Enterprise Management Software for PIX
- Next by thread: Re: Enterprise Management Software for PIX
- Index(es):
Relevant Pages
|
|
