> > Hi everyone, > > I have a question regarding managing policies among multiple sets of > firewalls. I don't know what industry standard / best practice is for > managing rules among multiple devices. There isn't one. Take the Trust/DMZ/Untrust which is documented as "best practice" but wasn't 15 years ago.
Modern firewalls are great for keeping the bad guys from brut forcing your network but so will a cheap router. Most network intrustions that I've seen are from the inside to other things on the inside. All your external IP addresses are already fingerprinted. A speaker at last year's Ruxcon was giving a talk in Switzerland and accidentally also fingerprinted all of Belgium as well. His records for a university shows the history where you can go back and say "This was a windows box with a poor history of patching yet its now locked down but that one port is still open so there is a chance its not patched" and he has sql tools to ask what machines might be susceptible to the last exploit. If he has those kinds of tools, you know the bad guys do too. I run one interface per host and put it in its own zone. My inbound interfaces are from zone "Internet" (not untrusted) as are other sources of garbage like a public wifi net is also in zone "Internet". My web servers are all in their own zones based on function and my dns has its own zone as well. The only swtich bank I use is now in a zone called "lan" where the workstations are. The rules indicate they are slightly more trutworthy than the internet :-) While this tends to cause the number of rules to blow out like crazy it is easier to manage over 3 sites. If I could find an ssg 140 cheap, I would be tempted to put all my troublesome users on their own port too. What I don't like is VPN connections tend to have lame levels of trust that the far end is secure. I have not found a good solution to that which makes me happy. To make this all even more entertaining, my Jr Net Admin went to the boss last week with the great idea of moving all the servers into a DMZ to reduce the number of zones on the firewall. -tim http://web.abnormal.com > > Currently our office has an srx cluster, site A has an edge srx cluster and > core srx cluster, and site B has an edge srx cluster and core srx cluster. > The edge srx clusters generally interface with border routers or providers > directly, IPSEC, DMZ and any outbound 3rd party web filter redirects etc. > The core srx clusters handle firewalling between our different > environments. Separating search engines, databases, web servers, etc etc. > > I don't know what the best way to manage the firewall rules is between > these sites. I don't think its sustainable to write the same rule on site A > core, site A edge, site B edge, site B core. And then managing the address > book entries on every device also becomes a hassle, making sure its > all synchronized etc. Is there a better method of doing this? > > I don't even want to think about what happens if I want traffic from the > office to route through site A in order to reach site B in the event of a > VPN issue between the office and site B directly. > > Is there a good method for keeping these things managed, like only having > the edge firewall for site A manage incoming connections, and let the other > sites edge firewall deal with site A's outgoing connections, etc? > > I'm a mess. If we add two more sites my head might explode. > > Morgan > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
