This is one of my pet ideas!
> -----Original Message-----
> From: Andrew J. Caird [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, April 26, 2001 9:49 PM
> To: Shoney Joy
> Cc: [EMAIL PROTECTED]
> Subject: Re: Ipchains remote console
>
>
> On: Thu, 26 Apr 2001 09:10:09 +0530 Shoney Joy wrote:
>
> >Hi list members,
> >
> >can anyone provide me some input on how to have a remote
> console monitoring
> >multiple IPChains. I am looking at something equaling to
> that provided by
> >FW-1 for managing and monitoring multiple OPSec compliant firewalls..
> >
> >Thanks in Advance..
> >
> >Shoney Joy
>
> for m in `cat machines` ; do
> xterm -e ssh $m "tail /var/log/messages | grep ip-chain"
> done
>
> this is probably more secure than FW-1's method, which I believe
> sends the logs in the clear.
No, it doesn't, unless you set it up that way. I make no claims about how
good the crypto is, though.
If you had a real live monitoring system, you could probably s/tail/tail -f/
and run the logs through snort or logwatch or something half-smart, I guess.
> Also, ssh is a more well vetted piece
> of software and is likely to have fewer bugs and security issues.
*cough* It's certainly been a tower of strength lately! *cough* ;)
> alternatively, you can use something like syslog-ng to securely
> (or plain syslog, to do it with less security) gather all of the
> logs in one place and simply watch that file. it's not a gui,
> but that nothing a little perl/tk can't fix for you, and likely
> a search on freshmeat.net will fine a gui log analyzer.
I hate the idea of using syslog. I think if you're cooking up ideas then you
should also think about ideas that are applicable from the _outside_ of the
firewall, to make a solution that is attractive for managed firewall
providers, as well. Syslog is best-effort delivery, which doesn't
neccessarily play nicely with the public Internet.
> as for remote administration, none of the ip* linux firewalls have,
> as far as i know, remote administration like FW-1's. however, that
> again requires open ports and a daemon listening on the other
> end, and,
> again, ssh is probably a decent port to have open if you must open
> any port, and while there isn't a nice gui, that's one of the
> strengths
> of the ip* firewalls, in my eyes.
How is no GUI a strength? A GUI can be a weakness, and often is, but lack of
one can't be a strength. Managing many multiple firewalls and keeping policy
consistent between subsets of them is one of the applications that's crying
out for a GUI, IMHO - it's a task where a visual aid is likely to help
someone avoid error.
As I'm sure I've said before, all we need is for someone to write a high
level policy language to bolt on to one of the free firewalls, and work out
a config check-in / check-out system (Hey, using those words makes me think
CVS...) and then fix the transport protocol (which is the easy part).
I'd imagine that the main reason it hasn't happened is that not many places
are using free firewalls in large multi-firewall (dozens or hundreds)
networks, and so have no use for such tools (chicken egg problem).
> cheers.
> --andrew
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
