[j-nsp] Firewall best practices

Patrick Dickey dickeypjeep at yahoo.com
Mon Jun 11 19:52:39 EDT 2012 

Morgan- I would take a good hard look at Junos Space's Security Design package. Its has centralized address books, tier'd policy management, config management, and VPN tools (among a ton of other features), all from a single pane of glass. Ask your reseller for a demo or check it out online. The information Juniper is publishing on the website may be a little out of date, but there is more info available to your Juniper sales team. 
 
 
HTH
 
Patrick
 


________________________________
From: Morgan McLean <wrx230 at gmail.com>
To: juniper-nsp at puck.nether.net 
Sent: Monday, June 11, 2012 5:18 PM
Subject: [j-nsp] Firewall best practices

Hi everyone,

I have a question regarding managing policies among multiple sets of
firewalls. I don't know what industry standard / best practice is for
managing rules among multiple devices.

Currently our office has an srx cluster, site A has an edge srx cluster and
core srx cluster, and site B has an edge srx cluster and core srx cluster.
The edge srx clusters generally interface with border routers or providers
directly, IPSEC, DMZ and any outbound 3rd party web filter redirects etc.
The core srx clusters handle firewalling between our different
environments. Separating search engines, databases, web servers, etc etc.

I don't know what the best way to manage the firewall rules is between
these sites. I don't think its sustainable to write the same rule on site A
core, site A edge, site B edge, site B core. And then managing the address
book entries on every device also becomes a hassle, making sure its
all synchronized etc. Is there a better method of doing this?

I don't even want to think about what happens if I want traffic from the
office to route through site A in order to reach site B in the event of a
VPN issue between the office and site B directly.

Is there a good method for keeping these things managed, like only having
the edge firewall for site A manage incoming connections, and let the other
sites edge firewall deal with site A's outgoing connections, etc?

I'm a mess. If we add two more sites my head might explode.

Morgan
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list