Computerworld - Security managers who are responsible for managing corporate firewalls, virtual private network (VPN) gateways, routers and other devices will understand the headaches I'm facing this week.
Prior to my arrival a few months back, my company was primarily a Check Point FireWall-1 shop. However, the company recently decided to switch to PIX firewalls from Cisco Systems Inc.
Personally, I'm a big advocate of the firewall products from Redwood City, Calif.-based Check Point Software Technologies Ltd. There's nothing wrong with Cisco's PIX products, but I've found myself having to climb a steep learning curve while coping with a rule base that's becoming increasingly unmanageable. And I'm trying to find a way to centralize management of security devices so that we don't need a different tool for every device.
4,300 Reasons for Change
There are two methods of administering a PIX firewall. With the command-line interface method, you can manually enter commands from a terminal window or via Telnet or Secure Shell access.
A typical set of commands might look like the following:
access-list DMZ permit tcp host 192.168.10.33 host 10.38.20.5 eq smtp
access-list DMZ permit tcp host 192.168.10.34 host 10.38.20.5 eq smtp
access-list DMZ permit tcp host 192.168.10.35 host 10.38.20.5 eq smtp
In this case, the rules tell the firewall that on the demilitarized zone (DMZ) interface, it should allow hosts in IP address ranges 192.168.10.33 to 192.168.10.35 to access host 10.38.20.5 and send e-mail via Simple Mail Transfer Protocol (SMTP).
In principle, that's not a bad way to create access lists and manage a firewall. But at my company, the main corporate firewall contains more than 4,300 lines of rules, and the e-business firewall contains more than 5,000. Every time my staff makes a change, we all stand around with our fingers crossed, cringing, hoping that the firewall doesn't crash. I've never seen so many rules on a single firewall.
LINKS:
Check Solsoft's Web site for details on devices that its Solsoft NP security management tool will support.
Netfilter and IPtables are free Linux-based firewall applications my company is considering implementing.
If you're a Check Point firewall fan, this is probably the best resource on the Internet for administrators.
Cisco's Web site offers more details on the PIX firewall management tools I mentioned.
The two most commonly used PIX firewall tools are the Cisco Secure Policy Manager (CSPM) and the company's Web-based PIX Device Manager. We chose CSPM. But I discovered that it can be complex to manage, especially if you didn't contribute to its initial configuration.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
