Chris's Wiki :: blog/sysadmin/FirewallViewComplexity Commentshttps://utcc.utoronto.ca/~cks/space/blog/sysadmin/FirewallViewComplexity?atomcommentsDWiki2008-12-23T13:34:10ZRecent comments in Chris's Wiki :: blog/sysadmin/FirewallViewComplexity.From 92.236.77.161 on /blog/sysadmin/FirewallViewComplexitytag:CSpace:blog/sysadmin/FirewallViewComplexity:14280db299d0f945612d3f4228f97d470379c7deFrom 92.236.77.161<div class="wikitext"><p>Maybe look at general higher-level management tools like Puppet ( <a href="http://reductivelabs.com">http://reductivelabs.com</a> )? This will allow you to specify things in terms of services and hosts, and I believe (but I'm not 100% sure) that there is a query interface so you'd be able to see what NFS rules are being applied to the various hosts, say.</p>
</div>2008-12-23T13:34:10ZBy Chris Siebenmann on /blog/sysadmin/FirewallViewComplexitytag:CSpace:blog/sysadmin/FirewallViewComplexity:a55a787efeaa5804d03a8f4905f5899867a32c6dChris Siebenmann<div class="wikitext"><p>I've never had the chance to play around with any of the commercial
firewalls; given that the free alternatives work well enough, university
budgets basically mean that commercial firewalls are completely off limits.</p>
</div>2008-12-23T07:13:39ZFrom 65.61.116.102 on /blog/sysadmin/FirewallViewComplexitytag:CSpace:blog/sysadmin/FirewallViewComplexity:55e8caaa881d6db62c3996f7afe26cf7463fe45dFrom 65.61.116.102<div class="wikitext"><p>Have you looked at a Checkpoint policy manager GUI lately? While not perfect, it makes firewall management very easy. The object grouping, targets (specify which firewall(s) the rule applies to) and rule groups make for a very tidy policy. This is important when you're asked to make routine change requests because you need to know where to insert new rules. These changes are usually as simple as adding a host or service to an existing group.</p>
<p>I compare this to PIX/ASA and various open source firewalls, many of which will not allow the grouping of heterogeneous objects. I'm not trying to pimp CheckPoint or anything (performance wise, I've always preferred PIX/ASA) but I have always found their management tools/structure to be top notch.</p>
<p>Ian</p>
</div>2008-12-22T16:55:30Z