Dear All: In response to Ben Nagy's reply (a copy of which is attached after my reply), I would suggest one of the following:
- An https management interface where both the firewall and the administrator(s) have valid certificates. The advantage of this management solution is that any browser can server as the interface provided the public key of the CA that generates the certificates is imported into the browser, assuming an internal certificate authority (CA) is utilized rather than a commercial one. - a secure version of Simple Network Management Protocol (SNMP). SNMP Version 2 was designed to provide secure management. Unfortunately, most vendors have failed to implement the software claiming that the end user community has not shown enough interest to justify the effort. - an Secure Shell (SSH) implementation that supports both secure telnet and secure ftp. In all my suggestions, note that I considered the need for both strong mutual authentication and confidentiality of the traffic an important criteria. I also believe that the management tool provide for extensive filtering and reporting of the audit information or at least provide export capability to allow it to be done with traditional tools such as Excel or Crystal Reports. Regards; Marc Mandel At 11:51 AM 05/31/2002 +0200, Ben Nagy wrote: >OK, smarty pants... > >What would you consider a "good" management system for a firewall? > >I was thinking about this myself when this email first hit the list, but >because I couldn't really decide what my favourite solution was, I kept >my mouth shut. > >Then again, I don't write firewalls like Mike. > >Obvious contenders are HTTP (needs an HTTP server on the firewall, could >be bad, especially if it uses post operations to send data back to the >firewall. HTTP is fairly ubiquitous, which is good.) Java (needs Java >support, but could be good on good platforms with a real sandbox) or >Proprietary (dedicated app required at the management station, which >involves cross-system porting - could be bad. Pipeline between >management station and firewall is probably strong, could be good.). > >We are ready for your wisdom... ;) > >-- >Ben Nagy >Network Security Specialist >Mb: TBA PGP Key ID: 0x1A86E304 > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of Mikael Olsson >[...] > > Yes, I definately consider a good management system a requirement. > > > > > > > A web-based system? > > > > Although this would make me look elsewhere :) > > >[...] > > -- > > Mikael Olsson, Clavister AB >[...] > >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >For Account Management (unsubscribe, get/change password, etc) Please go to: >http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
