<x-flowed>Here is my attempt at restating the problem.
Charles mentions the various tools in current use, like Seawall and
the extended scripts and what is wrong with them. (Not easily
extended and/or modified beyond their original limited purpose.)
Where I see the problem is that current routing/firewall design
philosophy centers on the router. Instead the focus should be on
subnets and how the various subnets in a network relate to each
other. Then finally what routers are used to connect the subnets.
Take a real world problem like Charles' TX facility. You should be
able to describe the TX facility (or any other network) to our
hypothetical compiler as one unified specification. Then the compiler
should be able to generate the firewall/routing rules for each and
every router on the network, including the Cisco from the one unified
specification.
At 08:30 PM 01/02/2001 -0600, Charles Steinkuehler wrote:
>4 DMZ networks firewalled from each other (some specific services
>allowed)
>3 Internal networks firewalled from each other (again, sharing some
>specific
>services)
>Appropriate connections between:
> Internal networks and the DMZs
> DMZs and the internet
> Internal networks and the internet
> remote networks and the internal networks (via VPN)
>
>This is actually a description of the TX facility, which is
>implemented with
>3 LRP boxes and a Cisco router...
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/mailman/listinfo/leaf-devel
</x-flowed>
