Re: Self Introduction: Tyler Larson / iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

The iptables configuration project, in particular, interests me
because of my networking background......


Intro: I'm a sysadmin with 10 years of experience on *NIX systems. My
current job has me managing an International network and managing the
(way too expensive, but nice to administer) Check Point Firewall. My
strong points are in network design and planning. I've looked over Python
and it doesn't seem any harder than Tcl/Tk, but certainly easier than
Java. Gui design is an area where I've scratched the surface, but I've
never designed any serious Gui app.

I have also been giving some serious thought to this issue and have
formulated quite a few ideas. Just a couple of thoughts to get you started:

- should use client / management / server model
- client should be just that, a client. Nothing stored here. Only connects to management.
- Management - here should be the logic. Check that rule objects are valid (valid IP, Network definitions, etc.) Responsible for "Serializing" the config and objects, either in Databases (LDAP, MySQL, etc.) or in XML. Checks that one rule doesn't negate the next. Pushes new policies to firewall.
- server (Check Point calls it the "Enforcement Module") Here's where the rules get enforced. In fail over config, two gateways would need to sync state information (VRRP).
- Client / Management / Server model should _allow_ all services to be on different machines, but not _require_ it.
- Inter machine communication should be encrypted. Automatic SSH tunnels probably the easiest (and quickest to implement).
- Should probably use some standard messaging protocol for communication between client / management / server. Suggestions? Something based on XML?
- Management & Clients should also be protected by a firewall policy. I never understood why Check Point ignores the fact that management and client should also be protected.

I could type for another hour, but I think you see where I'm going with this. Interested in your thoughts.

Regards,

Neil

BTW: I'm based in Frankfurt, Germany so my time is EST+6.




[Index of Archives]     [Fedora Users]     [Fedora Packaging]     [Fedora Desktop]     [PAM]     [Big List of Linux Books]     [Gimp]     [Yosemite News]