Ben Nagy wrote:
[..]
> What about policy management for all 70 sites from a single console? Can the
> PIX do that effectively yet? I've heard mumble about an Enterprise Manager
> of some description for PIX / Router ACLs, but I honestly have no idea
> whether or not it's vapour.
>
> It would seem to me that the ability to make policy changes without manually
> configuring 70 firewalls would be valuable - it's quicker and much more
> accurate.
>
Hoping CSPM works good enough. Got a sneak preview of the newest
version. It looks OK. Much better than previous versions. PDM for singel
firewalls, CSPM for multiple firewalls.
[..]
> I would also be asking myself how _good_ the Checkpoint bandwidth management
> is. Given a choice, I think I'd perfer to buy bandwidth management from
> someone who lives or dies by the quality of their offering - and Checkpoint
> aint one of them.
>
One of our colleges broke CP's bandwidth management. Too many sessions.
Had to shut it off & buy a Packeteer.
>
>
> All good points. Modems permanently attached to firewalls is Very Wrong, but
> I know that you're talking about modem access via manual intervention from a
> human.
>
We'd have to leave them off until stuff breaks.
>
> NIDS systems, monitored by human beings. About a million times more valuable
> than firewalls, IMO.
>
I could be nuking the new NIMDA worms with NIDS instead of trying to
null route them. Much more fun! Just get me NIDS with a joystick... :-)
>
> I just wonder about the cost of managing that many PIXen. Does anyone use
> Enterprise Management software that can make changes to many PIXen at once,
> based on central policy decisions? I see that as fairly important for a
> network of that size.
>
Me too. CP looks better that way, although Cisco CSPM is looking OK too.
> I'd also note that having seventy points of entry from the 'net is a
> dangerous architecture. I'm sure that it has been done for good reasons, but
> I'd be more comfortable with a network that had less entry points.
>
We have only two ISP connections. We could theorhtically firewall them,
but then our campuses would not be protected from one another. That is
important, as we have hackers using our open labs pretty regularily.
Thanks.
--
-----------------------------------------
Michael Janke
Director, Network Services
Minnesota State Colleges and Universities
-----------------------------------------
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
