[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Managing non-trivial firewall infrastructure
From:       Cy Schubert - CITS Open Systems Group <Cy.Schubert () uumail ! gov ! bc ! ca>
Date:       2002-08-29 18:22:49
[Download RAW message or body]

Sorry for the late reply, still catching up after 4 weeks of vacation.

In message <B9871397.28573%drsmithy@mailbox.uq.edu.au>, Christopher 
Smith write
s:
> I'm interested in hearing about how people are managing environments with a
> number of individual firewall machines and how they deal with machines that
> have a large number of interfaces and protected networks (and associated
> large rulesets).
> 
> I'm after both "big picture" (eg revision and change-control management on
> rulesets, centralised ruleset stores that push changes out to individual
> machines, overall network policies, etc) and individual host (eg overall and
> specific policies for traffic to let in and out, how rulesets are divided)
> aspects.

My team uses ipfmeta or scripts. We store our master copy of our IPF 
rulesets on a secured CVS server. We check out the IPF directory for a 
particular customer, make any changes, check it back in, and run the 
push script or makefile.

> 
> In particular, I'd like to know, at the "big picture" level if people are
> using tools to centrally manage multiple rulesets for multiple machines or
> if they're managing rulesets individually on each machine - and the details
> of how they are doing so.
> 
> At the host level, I'd like to hear about the policies you use.  For
> example:
> * Are you using stateful filtering ?  For everything ?

Depends.

> * Do you setup states on the incoming or outgoing side of the filtering ?
> Both ?

Depends on the requirements.

> * Do you do something like allow in any traffic to/from valid networks, then
> permit access to services/machines/networks on the outgoing side, or do you
> do all such "permitting" on the incoming side ?

Depends on the customer's requirements.

> * What about protecting networks behind the same firewall from each other ?
> * How do you divide your filtering up with groups - traffic types, protected
> networks, service types, etc ?
> * How do you physically layout your ruleset files - group by network,
> interface, services, none of the above ?  Do you use multiple files per
> ruleset that are glued together with scripts ?

This depends on the complexity of the ruleset and the customer 
requirements. We've done multiple files per ruleset but are converting 
our last customer to ipfmeta and storing the master copy in our CVS 
repo.

> 
> Are people using tools like "Isba" and "IPFMeta" to aid ruleset readability
> and maintainability ?  Do you have any other tools you use regularly and can
> recommend ?

Ipfmeta invoked by make is our current choice.  The makefile will call 
awk and sed to customise the resulting ipf.conf for the system it's 
being run on.

> 
> I'm asking because we are having a dramatic increase in the number of
> firewalls our department is managing.  Additionally, we have a few quite
> large machines with complex rulesets protecting multiple networks and the
> ongoing maintenance and management for them (from a ruleset & networking
> perspective) is becoming tedious and error-prone.  We are scheduled to be
> implementing a new machine that will also be quite large, with a complex
> ruleset and protecting multiple in the near future and I would greatly
> appreciate any advice/opinions people have to offer on the topic.
> 
> Additionally, on a distantly related subject, exactly which files must be
> edited under FreeBSD-4.x to increase the size of the state table ?  I've
> noticed that there are multiple copies of the same header file - do they all
> need to be edited ?  Any chance of a sysctl or /etc/make.conf directive
> sometime soon to make such changes easier ?

Try increasing IPSTATE_MAX to a larger prime number.


--
Cheers,                          Phone:  250-387-8437
Cy Schubert                        Fax:  250-387-5766
Team Leader, Sun/Alpha Team      Email:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, CITS
Ministry of Management Services
Province of BC            
                    FreeBSD UNIX:  cy@FreeBSD.org



[prev in list] [next in list] [prev in thread] [next in thread]