we have about 25 production FWSMs on our campus with the 250-context
license per blade; if you do the math we can spin up theoretically 6,250
virtual firewalls; as such we do use standardize policy templates in
order to centralize the production firewall environment; drawback with
this is that using standard policy templates does not allow for super
granular ruleset; most customers are ok with this; others just choose to
write their own policies; we also offer both options of the ASDM gui &
IOS clie; many customers do prefer the ASDM gui.
See following URL for our standard firewall policy templates; nothing
really NDA or proprietary; just a lot time between 10 or so firewall and
security SMEs who tried to put together a comprehensive base security
policy template; you can pretty much copy & paste this into a running
cisco firewall and you're set to go:
https://netfiles.umn.edu/users/moua0100/UMN_CENTRAL_FIREWALL_SERVICE/
Regards,
Ge Moua | Email: moua0...@umn.edu
Network Design Engineer
University of Minnesota | Networking & Telecommunications Services
Scott Granados wrote:
GUI is for the weak!
----- Original Message ----- From: "David Hughes" <da...@hughes.com.au>
To: "Justin Shore" <jus...@justinshore.com>
Cc: "Cisco NSP ((E-mail))'" <cisco-nsp@puck.nether.net>
Sent: Wednesday, September 30, 2009 5:02 PM
Subject: Re: [c-nsp] Hardware for 'managed firewall'
On 30/09/2009, at 11:06 PM, Justin Shore wrote:
You should really take a look at the new ADSM releases for the
FWSMs. It's actually pretty good. You have full control of all
contexts if you aim ADSM at the admin context. Of course I never
use the GUI anyway so what does that matter?
My focus has been on centralised policy management for many hundreds
of contexts. Each context must inherit standard ACL entries for our
monitoring or backup systems etc. Don't care about GUI based
management per se.
We supply crypto in our 7600s for the data center with SSC-400 2G
IPSec SPAs. Now if you want to talk about a funky LC, let's talk
about those damn things.
Sounds ugly. As they say in the classics - "Good luck with that
one" :)
David
...
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/