RE: [nsp] Managing the Pix

From: Steve Cundall (SCundall@ariba.com)
Date: Mon Nov 13 2000 - 20:33:33 EST

Next message: Martin Cooper: "[nsp] IOS switching-path selection"
Previous message: Stephen R. Gill: "[nsp] Managing the Pix"
Maybe in reply to: Stephen R. Gill: "[nsp] Managing the Pix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

We have looked as CSPM and have not had good luck in using it. Rumor is that
Cisco doesn't even use it internally to manage their PIXen and ACLs. We had
a really hard time getting it going and finally gave up.

We are currently evaluating a product from Solsoft which so far looks very
promising. It appears to have everything we want. We have been basically
looking for a 'Checkpoint like' interface for managing multiple PIX. We
basically need it because the number of conduits on the firewall was getting
unmanagable and confusing which can cause errors and security problems. I
needed somehting that will allow us to create groups of machines, subnets
and services and then create rules based on that. This product appears to do
it and is fairly easy to use. Its not cheap (~$10k depending on number of
firewalls/routers, its licensed by interfaces managed), but we think it will
do the trick. Please forward any other recommendations you get as we are
still evaluating.

Regards,

Steve

-----Original Message-----
From: Stephen R. Gill [mailto:gillsr99@yahoo.com]
Sent: Monday, November 13, 2000 4:52 PM
To: cisco-nsp@puck.nether.net
Subject: [nsp] Managing the Pix

I would greatly appreciate any information that can provided on the
following:

1. The usefulness of CSPM program in managing PIX Firewalls. I'm
particularly interested in
  a. How well it can manage a large network and ruleset.
  b. Will it support adding multiple Firewalls that route for the same
networks. IE. Firewall Load Balancing (don't ask).
  c. Any personal experiences with the CS Policy Manager good or bad. To me
it seems rather convoluted.
2. Reliable 3rd party products that will mange a PIX ruleset.
3. Things to watch out for that may cause large performance hits: ie. NAT,
RPF, too many rules, tcp-intercept, etc...

I'd much rather configure it at the command line but require the ability to
insert rules ad hoc, and allow more novice users to create rules.

Thanks!!
-- steve

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Next message: Martin Cooper: "[nsp] IOS switching-path selection"
Previous message: Stephen R. Gill: "[nsp] Managing the Pix"
Maybe in reply to: Stephen R. Gill: "[nsp] Managing the Pix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:20 EDT