Re: [c-nsp] Hardware for 'managed firewall'

Wed, 30 Sep 2009 19:44:53 -0700

we have about 25 production FWSMs on our campus with the 250-context license per blade; if you do the math we can spin up theoretically 6,250 virtual firewalls; as such we do use standardize policy templates in order to centralize the production firewall environment; drawback with this is that using standard policy templates does not allow for super granular ruleset; most customers are ok with this; others just choose to write their own policies; we also offer both options of the ASDM gui & IOS clie; many customers do prefer the ASDM gui.
See following URL for our standard firewall policy templates; nothing really NDA or proprietary; just a lot time between 10 or so firewall and security SMEs who tried to put together a comprehensive base security policy template; you can pretty much copy & paste this into a running cisco firewall and you're set to go: 

https://netfiles.umn.edu/users/moua0100/UMN_CENTRAL_FIREWALL_SERVICE/

Regards,
Ge Moua | Email: moua0...@umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Scott Granados wrote:

GUI is for the weak!
----- Original Message ----- From: "David Hughes" <da...@hughes.com.au>
To: "Justin Shore" <jus...@justinshore.com>
Cc: "Cisco NSP ((E-mail))'" <cisco-nsp@puck.nether.net>
Sent: Wednesday, September 30, 2009 5:02 PM
Subject: Re: [c-nsp] Hardware for 'managed firewall'




On 30/09/2009, at 11:06 PM, Justin Shore wrote:


You should really take a look at the new ADSM releases for the  
FWSMs. It's actually pretty good.  You have full control of all  
contexts if you aim ADSM at the admin context.  Of course I never  
use the GUI anyway so what does that matter?



My focus has been on centralised policy management for many hundreds  
of contexts.  Each context must inherit standard ACL entries for our  
monitoring or backup systems etc.  Don't care about GUI based  
management per se.




We supply crypto in our 7600s for the data center with SSC-400 2G  
IPSec SPAs.  Now if you want to talk about a funky LC, let's talk  
about those damn things.



Sounds ugly.  As they say in the classics -  "Good luck with that  
one"  :)



David
...

_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/






















					Reply via email to