Enterprise Management Software for PIX

Discussion in 'Cisco' started by dfields, Aug 24, 2005.

  1. dfields

    dfields Guest

    I'm looking for some recommendations for software which could manage a
    fairly large deployment of PIX firewalls (100-200). Management of
    these would include security policy and configuration management
    (development, archiving, deployment, auditing). Any help would be
    greatly appreciated! Open source and commercial products are
    considered.
     
    dfields, Aug 24, 2005
    #1
    1. Advertising

  2. dfields

    Ivan Guest

    In article <>,
    says...
    > I'm looking for some recommendations for software which could manage a
    > fairly large deployment of PIX firewalls (100-200). Management of
    > these would include security policy and configuration management
    > (development, archiving, deployment, auditing). Any help would be
    > greatly appreciated! Open source and commercial products are
    > considered.
    >
    >


    Well, this is exactly the description of a Cisco VMS solution
    http://www.cisco.com/en/US/products/sw/cscowork/ps2330/index.html.

    I've never used this software but I think that it would be worth to try
    it since it might solve you problems.


    --
    Ivan

    *** User rot13 to see my eMail address ***
     
    Ivan, Aug 24, 2005
    #2
    1. Advertising

  3. In article <>,
    Ivan <-pbz.ue> wrote:
    :In article <>,
    : says...
    :> I'm looking for some recommendations for software which could manage a
    :> fairly large deployment of PIX firewalls (100-200). Management of
    :> these would include security policy and configuration management
    :> (development, archiving, deployment, auditing). Any help would be
    :> greatly appreciated! Open source and commercial products are
    :> considered.

    :Well, this is exactly the description of a Cisco VMS solution
    :http://www.cisco.com/en/US/products/sw/cscowork/ps2330/index.html.

    For integrated enterprise-class software, the other company you
    should look at is solsoft.com -- the SolSoft Policy Server 7 for
    company-wide management with multiple functional administrative
    roles (e.g., if you want to be able to appoint departmental-level
    security admins), and the SolSoft Firewall Manager for single-user
    administation.

    I haven't priced the SolSoft Firewall Manager; the Policy Server was
    several times as expensive as Cisco's VMS.


    I had a careful look at Cisco's VMS and compared it to my home-grown
    tools. I found that VMS had almost exactly the same limitations as
    my home-grown tools did. The one thing that VMS had going for it
    that my tools don't have, is that VMS knows how to talk to the
    undocumented API used by PDM, and so VMS is able to "reliably" update
    remote firewalls.

    If you were to try to use the CLI to update a remote firewall -through-
    a VPN link to the firewall, then you would run into consistancy
    problems when you update the 'match address' ACL: after you change
    the ACL, PIX 6 goes into an inconsistant state in which it might
    refuse to pass traffic through any of the existing or new SA's
    (security associations), and this inconsistancy lasts until you
    "clear ipsec sa"... which causes your VPN connection to drop and
    take a few seconds to rebuild, which ruins your tftp of the new config :(
    You usually can't just solve this problem by leaving tftp traffic
    off of your VPN (unprotected), because ISP filters often block tftp...
    and that's not even considering the security factor of not wanting
    your firewall configuration to be transmitted in the clear.

    VMS, by going through a different port, is supposed to be able to
    handle reliable updates. I didn't stress-test this. In my particular case,
    I could have removed the pdm port from the VPN (it uses SSL anyhow
    so not a big security problem), but in other cases the pdm port might
    also be blocked.

    But that was the -only- real advantage to VMS compared to what I had
    already. The VMS GUI is slow and not particularily well organized.
    And the strict hierarchical structure of inheritance of properties
    leaves you needing to develop ruleset hacks in exactly the same
    way that I was already using for my home-grown tools.

    For example, under Cisco's VMS, if you want to allow system X in one
    firewall to ftp to system Y in another firewall, you have to add the
    outgoing ftp rule to X's firewall, and you have to add the incoming ftp
    rule to Y's firewall -- and if there is NAT involved, you have to
    take all the NAT into configuration manually.


    I looked at the SolSoft product's specs, and (at least on paper) the
    product is beautiful. The SolSoft product allows policy creation,
    and it automatically figures out the set of rules needed to implement
    the policies on each firewall... and exactly the same policybase can
    be used to export to several different brands and software revs of
    firewalls (e.g., if you wanted to swap a PIX for another brand, all
    you would have to do is tell the software what the brand was, and
    it would create the whole equivilent configuration.)


    I posted a laundry-list of features I was hoping to find in a
    firewall management system, and I found that SolSoft covered pretty
    much all of the features... but that VMS was not nearly as
    useful for -my- purposes.

    http://groups.google.ca/group/comp.dcom.sys.cisco/msg/b32cb8893768cc2c


    Unfortunately, my management hasn't been able to find the money for
    Solsoft's product :( It looks like that if I'd had it a couple of years
    ago, I would have saved a minimum of 4 months of work over 2 years...
    and that's with only 6 firewalls.

    But a lot depends on how complex your rules are. If you have
    a real hub-and-spoke operation in which you can very narrowly
    define the traffic between the spokes and the hub, and the spokes
    don't need to talk to each other and the hub doesn't need to talk much
    to the spokes, and the spokes essentially don't have any "unique
    circumstances", then VMS might be fine for managing ~100 near-clone
    configurations. It happens that in our situation we are closer to
    "distributed computing" than to centralized computing, so our
    intra-office flows get messy, and VMS just isn't suited for that.
    --
    "Never install telephone wiring during a lightning storm." -- Linksys
     
    Walter Roberson, Aug 24, 2005
    #3
  4. dfields

    dfields Guest

    Thanks for the responses - we are going to look at SolSoft in addition
    to VMS and fwbuilder. I really appreciate the assistance!! Thanks
    again!

    David
     
    dfields, Aug 25, 2005
    #4
  5. In article <>,
    dfields <> wrote:
    :Thanks for the responses - we are going to look at SolSoft in addition
    :to VMS and fwbuilder.

    Interesting, although it isn't mentioned in the FAQ, I see that
    netcitadel offers a commercial fwbuilder policy compiler for PIX,

    http://www.netcitadel.com/p/cat_fwb_pix.html

    I'll have to have a closer look.
    --
    This signature intentionally left... Oh, darn!
     
    Walter Roberson, Aug 25, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Bilgrav
    Replies:
    1
    Views:
    1,022
    Martin Bilgrav
    Dec 20, 2003
  2. Marco Boccenti
    Replies:
    16
    Views:
    917
    =?Utf-8?B?VGhpZXJyeSBERU1BTiAoTVZQKQ==?=
    Dec 1, 2003
  3. Paul
    Replies:
    7
    Views:
    1,448
  4. Ashok Kumar
    Replies:
    5
    Views:
    645
    CrushesBeforeItCuts
    Feb 11, 2005
  5. Giuen
    Replies:
    0
    Views:
    1,434
    Giuen
    Sep 12, 2008
Loading...

Share This Page