[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Self Introduction: Tyler Larson / iptables
- From: Neil Hare <Neil Hare fme fujitsu com>
- To: fedora-config-list redhat com
- Subject: Re: Self Introduction: Tyler Larson / iptables
- Date: Mon, 08 Dec 2003 14:21:28 +0100
Hi all,
The iptables configuration project, in particular, interests me
because of my networking background......
Intro: I'm a sysadmin with 10 years of experience on *NIX systems. My
current job has me managing an International network and managing the
(way too expensive, but nice to administer) Check Point Firewall. My
strong points are in network design and planning. I've looked over Python
and it doesn't seem any harder than Tcl/Tk, but certainly easier than
Java. Gui design is an area where I've scratched the surface, but I've
never designed any serious Gui app.
I have also been giving some serious thought to this issue and have
formulated quite a few ideas. Just a couple of thoughts to get you started:
- should use client / management / server model
- client should be just that, a client. Nothing stored here. Only
connects to management.
- Management - here should be the logic. Check that rule objects are
valid (valid IP, Network definitions, etc.) Responsible for
"Serializing" the config and objects, either in Databases (LDAP, MySQL,
etc.) or in XML. Checks that one rule doesn't negate the next. Pushes
new policies to firewall.
- server (Check Point calls it the "Enforcement Module") Here's where
the rules get enforced. In fail over config, two gateways would need to
sync state information (VRRP).
- Client / Management / Server model should _allow_ all services to be
on different machines, but not _require_ it.
- Inter machine communication should be encrypted. Automatic SSH tunnels
probably the easiest (and quickest to implement).
- Should probably use some standard messaging protocol for communication
between client / management / server. Suggestions? Something based on XML?
- Management & Clients should also be protected by a firewall policy. I
never understood why Check Point ignores the fact that management and
client should also be protected.
I could type for another hour, but I think you see where I'm going with
this. Interested in your thoughts.
Regards,
Neil
BTW: I'm based in Frankfurt, Germany so my time is EST+6.
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]