firewall management

From: Ogrodnek, Larry (Larry.Ogrodnekat_private)
Date: Thu Oct 28 1999 - 07:39:18 PDT

Next message: Neil Ratzlaff: "Re: Newspaper Article about Cable Modem security"

Previous message: Steven M. Bellovin: "Re: FW: BlackIce Defender???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi.  I am wondering how the rest of your are handling firewall management,
specificially for firewalls that are on the external side of the DMZ.

We have a fairly typical DMZ configuration, firewall A connected to the
internet, dmz in between, firewall B connected to our internal network (In
reality, there are many A's and B's, and there are also other devices across
other networks that we would like to monitor).  The rules on the firewall B
are allow anything out, deny everything in.  This leaves us in an
interesting position.  How do we allow firewall A to send snmp information,
etc, to a monitoring station on the inside?

As far as I can see, we have a few choices.

a) allow snmp traffic inbound on firewall B (i'm not too fond of this).
b) build a seperate management lan.  every firewall would have an extra
interface connected to this special lan where a monitoring station could
sit.  Is this a good idea?  Is anyone else doing this?
c) just bite the bullet and have a seperate monitoring station for each
network.

Are there any other choices?  Any thoughts?

thanks,
larry

Next message: Neil Ratzlaff: "Re: Newspaper Article about Cable Modem security"
Previous message: Steven M. Bellovin: "Re: FW: BlackIce Defender???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:49 PDT