[c-nsp] Hardware for 'managed firewall'

Ge Moua moua0100 at umn.edu
Wed Sep 30 22:38:50 EDT 2009


we have about 25 production FWSMs on our campus with the 250-context 
license per blade; if you do the math we can spin up theoretically 6,250 
virtual firewalls; as such we do use standardize policy templates in 
order to centralize the production firewall environment; drawback with 
this is that using standard policy templates does not allow for super 
granular ruleset; most customers are ok with this; others just choose to 
write their own policies; we also offer both options of the ASDM gui & 
IOS clie; many customers do prefer the ASDM gui.

See following URL for our standard firewall policy templates; nothing 
really NDA or proprietary; just a lot time between 10 or so firewall and 
security SMEs who tried to put together a comprehensive base security 
policy template; you can pretty much copy & paste this into a running 
cisco firewall and you're set to go:

https://netfiles.umn.edu/users/moua0100/UMN_CENTRAL_FIREWALL_SERVICE/

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services



Scott Granados wrote:
> GUI is for the weak!
> ----- Original Message ----- From: "David Hughes" <david at hughes.com.au>
> To: "Justin Shore" <justin at justinshore.com>
> Cc: "Cisco NSP ((E-mail))'" <cisco-nsp at puck.nether.net>
> Sent: Wednesday, September 30, 2009 5:02 PM
> Subject: Re: [c-nsp] Hardware for 'managed firewall'
>
>
>>
>> On 30/09/2009, at 11:06 PM, Justin Shore wrote:
>>
>>> You should really take a look at the new ADSM releases for the  
>>> FWSMs. It's actually pretty good.  You have full control of all  
>>> contexts if you aim ADSM at the admin context.  Of course I never  
>>> use the GUI anyway so what does that matter?
>>
>> My focus has been on centralised policy management for many hundreds  
>> of contexts.  Each context must inherit standard ACL entries for our  
>> monitoring or backup systems etc.  Don't care about GUI based  
>> management per se.
>>
>>
>>> We supply crypto in our 7600s for the data center with SSC-400 2G  
>>> IPSec SPAs.  Now if you want to talk about a funky LC, let's talk  
>>> about those damn things.
>>
>> Sounds ugly.  As they say in the classics -  "Good luck with that  
>> one"  :)
>>
>>
>> David
>> ...
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list