On Thu, 13 Apr 2000, Wallace, Mark, CTR, SAM/DSW wrote: [Assuming the firewalls CC was intentional, I've kept it in] > I've got two separate projects on my desk. In the first, my customer is > demanding a proxy for netbios. I don't believe that such an animal exists, > for a number of theoretical reasons. I'm not even sure that one could be > built that would be useful/meaningful. Do you know of any? (Oh, I wish I > could say, "Don't use it" - but that has already been shot down). I don't recall seeing anything like that except in some switch/Token Ring SRB contexts that simply stored the mappings and directed traffic accordingly. I'd definitely make someone sign a "I said this is *really* bad, you acknowledge that you're ignoring my warnings." paper before I decided to leak anything NetBIOSish through any perimeter. Your best bet is probably some sort of VPN product with some prodigious filtering all over the place. > Second, we're having a problem managing the complexity of our ACL's - too > many people, too many routers, too many changes. Are you aware of any > products that manage ACL lists? I know CISCO has an ACL manager product that > optimizes the list, and provides other management functions. I'm looking for > alternatives to that product. > Most people I know just use a TFTP server for configs and vector changes through one or two people. If you need multiple access levels, (don't know how much you're aware of here, and someone may find it useful...) you can set up user names for the routers and give per-command privileges to each user- and more importantly- with *complete* logging. Add in one-time authentication to a RADIUS or TACACS+ server like an ACE server, add a few scripts for reporting and you've nailed the accountability thing. You can also set your routers to net boot the images, which can be good or bad, depending on how much infrastructure you get. I'm not really good at commercial products because I like to have a *lot* of control over my security infrastructure, so don't take this as an endorsement, because I've stayed away from even attempting to evaluate such products, but you might want to look at: http://www.solsoft.com/ I haven't tried it. I always thought the company Cisco bought a couple years ago that did the virtual config stuff had a cool product, but I'm not sure if that's in or a superset of the access list manager product. It looked really helpful for testing entire configs and changes. There was also something that would chunk out access lists for IPFilter and IOS that looked interesting in an "Open Source stuff you might want to play with if you're going to build something" sort of way. I'm NDA'd for something else that looks interesting in this context and that also does firewall configs, but it's not on the market yet, so I can't provide any pointers at the moment. Lately there's also been some "telnet around and update config" stuff floating around that's useful for centralizing config changes. I generally tried to keep a TFTP capable machine on each side of the perimeter to hold the configs and a laptop for emergencies, but we were pretty successful in keeping changes minimized to a group of about 5 people. If it's specificly access-lists, you could give everyone else access to everything but the access list commands and manage that centrally. Obviously, uptime logs matter if you're relying on remote gear and remote admins. Hpe at least some of this helps, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." PSB#9280 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
