I'm looking for some recommendations for software which could manage a fairly large deployment of PIX firewalls (100-200). Management of these would include security policy and configuration management (development, archiving, deployment, auditing). Any help would be greatly appreciated! Open source and commercial products are considered.
In article , Ivan wrote: :In article , :david_c snipped-for-privacy@hotmail.com says... :> I'm looking for some recommendations for software which could manage a :> fairly large deployment of PIX firewalls (100-200). Management of :> these would include security policy and configuration management :> (development, archiving, deployment, auditing). Any help would be :> greatly appreciated! Open source and commercial products are :> considered.
:Well, this is exactly the description of a Cisco VMS solution :
I haven't priced the SolSoft Firewall Manager; the Policy Server was several times as expensive as Cisco's VMS.
I had a careful look at Cisco's VMS and compared it to my home-grown tools. I found that VMS had almost exactly the same limitations as my home-grown tools did. The one thing that VMS had going for it that my tools don't have, is that VMS knows how to talk to the undocumented API used by PDM, and so VMS is able to "reliably" update remote firewalls.
If you were to try to use the CLI to update a remote firewall -through- a VPN link to the firewall, then you would run into consistancy problems when you update the 'match address' ACL: after you change the ACL, PIX 6 goes into an inconsistant state in which it might refuse to pass traffic through any of the existing or new SA's (security associations), and this inconsistancy lasts until you "clear ipsec sa"... which causes your VPN connection to drop and take a few seconds to rebuild, which ruins your tftp of the new config :( You usually can't just solve this problem by leaving tftp traffic off of your VPN (unprotected), because ISP filters often block tftp... and that's not even considering the security factor of not wanting your firewall configuration to be transmitted in the clear.
VMS, by going through a different port, is supposed to be able to handle reliable updates. I didn't stress-test this. In my particular case, I could have removed the pdm port from the VPN (it uses SSL anyhow so not a big security problem), but in other cases the pdm port might also be blocked.
But that was the -only- real advantage to VMS compared to what I had already. The VMS GUI is slow and not particularily well organized. And the strict hierarchical structure of inheritance of properties leaves you needing to develop ruleset hacks in exactly the same way that I was already using for my home-grown tools.
For example, under Cisco's VMS, if you want to allow system X in one firewall to ftp to system Y in another firewall, you have to add the outgoing ftp rule to X's firewall, and you have to add the incoming ftp rule to Y's firewall -- and if there is NAT involved, you have to take all the NAT into configuration manually.
I looked at the SolSoft product's specs, and (at least on paper) the product is beautiful. The SolSoft product allows policy creation, and it automatically figures out the set of rules needed to implement the policies on each firewall... and exactly the same policybase can be used to export to several different brands and software revs of firewalls (e.g., if you wanted to swap a PIX for another brand, all you would have to do is tell the software what the brand was, and it would create the whole equivilent configuration.)
I posted a laundry-list of features I was hoping to find in a firewall management system, and I found that SolSoft covered pretty much all of the features... but that VMS was not nearly as useful for -my- purposes.
Unfortunately, my management hasn't been able to find the money for Solsoft's product :( It looks like that if I'd had it a couple of years ago, I would have saved a minimum of 4 months of work over 2 years... and that's with only 6 firewalls.
But a lot depends on how complex your rules are. If you have a real hub-and-spoke operation in which you can very narrowly define the traffic between the spokes and the hub, and the spokes don't need to talk to each other and the hub doesn't need to talk much to the spokes, and the spokes essentially don't have any "unique circumstances", then VMS might be fine for managing ~100 near-clone configurations. It happens that in our situation we are closer to "distributed computing" than to centralized computing, so our intra-office flows get messy, and VMS just isn't suited for that.
Well, this is exactly the description of a Cisco VMS solution
Thanks for the responses - we are going to look at SolSoft in addition to VMS and fwbuilder. I really appreciate the assistance!! Thanks again!
David
In article , dfields wrote: :Thanks for the responses - we are going to look at SolSoft in addition :to VMS and fwbuilder.
Interesting, although it isn't mentioned in the FAQ, I see that netcitadel offers a commercial fwbuilder policy compiler for PIX,
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.