Phil writes (I think)...
> There are other ways of providing the same functionality - BorderWare has a
> user-controllable (ie. you can turn on and off this feature via the console,
> by default it is off) back door that allows the developers to effectively
> telnet into the firewall (which can be initiated only via a certain IP
> address, and only using strong authentication) over the net and see what's
> wrong with a firewall. Patches can be downloaded from the net (patches
> are cryptographically checksummed, of course) by end users and a console
> menu selection is used to apply them (the patch update code brings the
> machine down to a single user, non-network listening mode, applies the
> patches and reboots).
Your point reminded me of an idea with which I have been playing:
managing firewalls using SNMP and a to-be-developed Firewall MIB.
Before the flamethrowers go on, let's assume that we are using
an acceptably authenticated path for the SNMP flow. Whether this is
SNMPv2, link encryption, etc., is irrelevant for the immediate discussion.
What I'd like the list to consider are what are the abstract mechanisms
that reside on firewalls (including bastion hosts, screening routers,
etc.). These abstractions are what a MIB would describe. We would then
have the potential, to some extent, of firewall-vendor-independent
management of the firewall. We also may have a standard metanotation
for describing at least a core set of firewall functions.
My initial thought would to be modelling both packet forwarding and
proxy mechanisms as extensions of the basic IP routing table MIB.
There would also be switch variables for log and alarm mechanisms.
> I realize that trusting a vendor to have good support policies is always
> an act of faith, but BorderWare (and other firewall vendors, I might add)
> have an open user mailing list that users can gripe about bad support to.
> >The point is that in a dynamic environment a customer may not be able to wait
> >for the next version and at the same time, the vendor may not have the
> >available resources (equipment and manpower) to be able to recreate it.
A MIB dump -- of the firewall MIB and possibly associated host and
router MIBs -- might make a very useful support tool.
PS---I will be going into the hospital for a week of personal
diagnostics on Sunday, and am not sure if I will have email access
from there. I won't be ignoring the discussion!
I'll definitely return to the discussion when NIH lets
me out, or if I can get connectivity. My Powerbook is, at the moment,
in its ultimate security mode -- needing to go back in for repair.
Complain all you like about software; there's nothing like a
beta test on your body! :-)