[j-nsp] Firewall best practices
Morgan McLean
wrx230 at gmail.com
Mon Jun 11 19:18:30 EDT 2012
Hi everyone,
I have a question regarding managing policies among multiple sets of
firewalls. I don't know what industry standard / best practice is for
managing rules among multiple devices.
Currently our office has an srx cluster, site A has an edge srx cluster and
core srx cluster, and site B has an edge srx cluster and core srx cluster.
The edge srx clusters generally interface with border routers or providers
directly, IPSEC, DMZ and any outbound 3rd party web filter redirects etc.
The core srx clusters handle firewalling between our different
environments. Separating search engines, databases, web servers, etc etc.
I don't know what the best way to manage the firewall rules is between
these sites. I don't think its sustainable to write the same rule on site A
core, site A edge, site B edge, site B core. And then managing the address
book entries on every device also becomes a hassle, making sure its
all synchronized etc. Is there a better method of doing this?
I don't even want to think about what happens if I want traffic from the
office to route through site A in order to reach site B in the event of a
VPN issue between the office and site B directly.
Is there a good method for keeping these things managed, like only having
the edge firewall for site A manage incoming connections, and let the other
sites edge firewall deal with site A's outgoing connections, etc?
I'm a mess. If we add two more sites my head might explode.
Morgan
More information about the juniper-nsp
mailing list