Firewalls: Firewall farms

Firewalls
(August 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Firewall farms
From:	potlicker @ morebbs . com
Organization:	MORE BBS
Date:	Sun, 18 Aug 96 08:07:59
To:	firewalls @ greatcircle . com

This is academic research.   The First Church of The Gooey Death don't do no
consulting.   We added another Article of Faith  -  Thou May Use Punctuation.

Scenario: GrandInc runs a multivendor firewall farm that interconnects
corporate WAN's and the Internet.   They want to see firewall performance
data without having to log onto consoles.  Policy forbids them to remotely
access root on the firewalls across their network.   They have to use the
consoles.

Possible Solution:
uptime, netstat, vmstat, iostat run out of cron every 15 minutes.   Output is
redirected to a performance file.   Ever hour cron mails the performance file
from each firewall to GrandInc's cc:Mail system.   Clockman95 running on
Windows95 launches a Visual DBase routine every couple of hours.  That
routine does the following:   export the performance mail from cc:Mail to 
text files on a networked drive;   imports the data for each firewall from 
the networked drive into a database for each machine;   runs a report that 
prints the important performance factors for each box for the past couple of
hours.   At midnight Clockman95 starts another report which prints
performance data for each box for the past 24 hours and flags major problems.

A lot of things could go wrong in this process of events.   There are a lot
of bright people on the firewalls list.   What are viable alternatives?

Unrelated - some folks have commented that they think the idea of a single
firewall providing Internet access to a large WAN is just vendor fluff.
We don't think it is.   In the course of our research we have come across
several large WAN's that had a single firewall connecting them through a
high speed link to the Internet.  They also had many low speed connections
from other parts of the WAN to the Internet.  Most of these low speed
dial-ups had no security protection.  A few had easily circumvented low 
level protection.   The only really secure connection from the WAN to the
Internet was the single firewall provided by a vendor.   
                                                          PoT_LiCkEr

-=  He am bugoo.   Me be ugoo.   Ugoo not like bugoo.   I gonna kill him  =-
-=                                                                        =-
-=                   Okay Bosnia, keep it over there.                     =-

Follow-Ups:

Re: Firewall farms
From: Michael Dillon <michael @ memra . com>

Indexed By Date	Previous:	RE: NT Memory (formerly NT Firewalling) From: Don Lewis <Don . Lewis @ tsc . tdk . com>
Indexed By Date	Next:	RE: NT Memory (formerly NT Firewalling) From: Michael Dillon <michael @ memra . com>
Indexed By Thread	Previous:	DNS filtering on CISCO routers From: "R. McMahon" <rmcm001 @ us . net>
Indexed By Thread	Next:	Re: Firewall farms From: Michael Dillon <michael @ memra . com>