Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Enterprise Management Software for PIX

Reply
Thread Tools

Enterprise Management Software for PIX

 
 
dfields
Guest
Posts: n/a
 
      08-24-2005
I'm looking for some recommendations for software which could manage a
fairly large deployment of PIX firewalls (100-200). Management of
these would include security policy and configuration management
(development, archiving, deployment, auditing). Any help would be
greatly appreciated! Open source and commercial products are
considered.

 
Reply With Quote
 
 
 
 
Ivan
Guest
Posts: n/a
 
      08-24-2005
In article <(E-Mail Removed) om>,
http://www.velocityreviews.com/forums/(E-Mail Removed) says...
> I'm looking for some recommendations for software which could manage a
> fairly large deployment of PIX firewalls (100-200). Management of
> these would include security policy and configuration management
> (development, archiving, deployment, auditing). Any help would be
> greatly appreciated! Open source and commercial products are
> considered.
>
>


Well, this is exactly the description of a Cisco VMS solution
http://www.cisco.com/en/US/products/...330/index.html.

I've never used this software but I think that it would be worth to try
it since it might solve you problems.


--
Ivan

*** User rot13 to see my eMail address ***
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      08-24-2005
In article <(E-Mail Removed)>,
Ivan <(E-Mail Removed)-pbz.ue> wrote:
:In article <(E-Mail Removed) om>,
:(E-Mail Removed) says...
:> I'm looking for some recommendations for software which could manage a
:> fairly large deployment of PIX firewalls (100-200). Management of
:> these would include security policy and configuration management
:> (development, archiving, deployment, auditing). Any help would be
:> greatly appreciated! Open source and commercial products are
:> considered.

:Well, this is exactly the description of a Cisco VMS solution
:http://www.cisco.com/en/US/products/...330/index.html.

For integrated enterprise-class software, the other company you
should look at is solsoft.com -- the SolSoft Policy Server 7 for
company-wide management with multiple functional administrative
roles (e.g., if you want to be able to appoint departmental-level
security admins), and the SolSoft Firewall Manager for single-user
administation.

I haven't priced the SolSoft Firewall Manager; the Policy Server was
several times as expensive as Cisco's VMS.


I had a careful look at Cisco's VMS and compared it to my home-grown
tools. I found that VMS had almost exactly the same limitations as
my home-grown tools did. The one thing that VMS had going for it
that my tools don't have, is that VMS knows how to talk to the
undocumented API used by PDM, and so VMS is able to "reliably" update
remote firewalls.

If you were to try to use the CLI to update a remote firewall -through-
a VPN link to the firewall, then you would run into consistancy
problems when you update the 'match address' ACL: after you change
the ACL, PIX 6 goes into an inconsistant state in which it might
refuse to pass traffic through any of the existing or new SA's
(security associations), and this inconsistancy lasts until you
"clear ipsec sa"... which causes your VPN connection to drop and
take a few seconds to rebuild, which ruins your tftp of the new config
You usually can't just solve this problem by leaving tftp traffic
off of your VPN (unprotected), because ISP filters often block tftp...
and that's not even considering the security factor of not wanting
your firewall configuration to be transmitted in the clear.

VMS, by going through a different port, is supposed to be able to
handle reliable updates. I didn't stress-test this. In my particular case,
I could have removed the pdm port from the VPN (it uses SSL anyhow
so not a big security problem), but in other cases the pdm port might
also be blocked.

But that was the -only- real advantage to VMS compared to what I had
already. The VMS GUI is slow and not particularily well organized.
And the strict hierarchical structure of inheritance of properties
leaves you needing to develop ruleset hacks in exactly the same
way that I was already using for my home-grown tools.

For example, under Cisco's VMS, if you want to allow system X in one
firewall to ftp to system Y in another firewall, you have to add the
outgoing ftp rule to X's firewall, and you have to add the incoming ftp
rule to Y's firewall -- and if there is NAT involved, you have to
take all the NAT into configuration manually.


I looked at the SolSoft product's specs, and (at least on paper) the
product is beautiful. The SolSoft product allows policy creation,
and it automatically figures out the set of rules needed to implement
the policies on each firewall... and exactly the same policybase can
be used to export to several different brands and software revs of
firewalls (e.g., if you wanted to swap a PIX for another brand, all
you would have to do is tell the software what the brand was, and
it would create the whole equivilent configuration.)


I posted a laundry-list of features I was hoping to find in a
firewall management system, and I found that SolSoft covered pretty
much all of the features... but that VMS was not nearly as
useful for -my- purposes.

http://groups.google.ca/group/comp.d...2cb8893768cc2c


Unfortunately, my management hasn't been able to find the money for
Solsoft's product It looks like that if I'd had it a couple of years
ago, I would have saved a minimum of 4 months of work over 2 years...
and that's with only 6 firewalls.

But a lot depends on how complex your rules are. If you have
a real hub-and-spoke operation in which you can very narrowly
define the traffic between the spokes and the hub, and the spokes
don't need to talk to each other and the hub doesn't need to talk much
to the spokes, and the spokes essentially don't have any "unique
circumstances", then VMS might be fine for managing ~100 near-clone
configurations. It happens that in our situation we are closer to
"distributed computing" than to centralized computing, so our
intra-office flows get messy, and VMS just isn't suited for that.
--
"Never install telephone wiring during a lightning storm." -- Linksys
 
Reply With Quote
 
dfields
Guest
Posts: n/a
 
      08-25-2005
Thanks for the responses - we are going to look at SolSoft in addition
to VMS and fwbuilder. I really appreciate the assistance!! Thanks
again!

David

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      08-25-2005
In article <(E-Mail Removed). com>,
dfields <(E-Mail Removed)> wrote:
:Thanks for the responses - we are going to look at SolSoft in addition
:to VMS and fwbuilder.

Interesting, although it isn't mentioned in the FAQ, I see that
netcitadel offers a commercial fwbuilder policy compiler for PIX,

http://www.netcitadel.com/p/cat_fwb_pix.html

I'll have to have a closer look.
--
This signature intentionally left... Oh, darn!
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Exam 70-281: Planning, Deploying, and Managing an Enterprise Project Management Solution Paul MCSE 7 12-04-2012 11:26 AM
enterprise application versus enterprise system jrefactors@hotmail.com C++ 2 01-20-2005 01:32 PM
enterprise application versus enterprise system jrefactors@hotmail.com Java 3 01-20-2005 01:32 PM
enterprise application vs. enterprise system jrefactors@hotmail.com Java 3 01-15-2005 07:12 AM
71-281: Planning, Deploying, and Managing an Enterprise Project Management Solution Marco Boccenti MCSE 16 12-01-2003 11:31 AM



Advertisments