[j-nsp] Firewall best practices

Tim Eberhard xmin0s at gmail.com
Mon Jun 11 20:06:01 EDT 2012


While I agree space is a decent viable option there are lots of
limitations and caveats around the Space security designer product.
Test it throughly before buying and know how it acts and what it does
that will not work in your environment.

Another thing worth mentioning is SD has been out less than a year.
It's first release (re-release after being rewritten from scratch) was
11.4, most recently and greatly needed update is 12.1.

I hope this helps,
-Tim Eberhard

On Mon, Jun 11, 2012 at 6:52 PM, Patrick Dickey <dickeypjeep at yahoo.com> wrote:
> Morgan- I would take a good hard look at Junos Space's Security Design package. Its has centralized address books, tier'd policy management, config management, and VPN tools (among a ton of other features), all from a single pane of glass. Ask your reseller for a demo or check it out online. The information Juniper is publishing on the website may be a little out of date, but there is more info available to your Juniper sales team.
>
>
> HTH
>
> Patrick
>
>
>
> ________________________________
> From: Morgan McLean <wrx230 at gmail.com>
> To: juniper-nsp at puck.nether.net
> Sent: Monday, June 11, 2012 5:18 PM
> Subject: [j-nsp] Firewall best practices
>
> Hi everyone,
>
> I have a question regarding managing policies among multiple sets of
> firewalls. I don't know what industry standard / best practice is for
> managing rules among multiple devices.
>
> Currently our office has an srx cluster, site A has an edge srx cluster and
> core srx cluster, and site B has an edge srx cluster and core srx cluster.
> The edge srx clusters generally interface with border routers or providers
> directly, IPSEC, DMZ and any outbound 3rd party web filter redirects etc.
> The core srx clusters handle firewalling between our different
> environments. Separating search engines, databases, web servers, etc etc.
>
> I don't know what the best way to manage the firewall rules is between
> these sites. I don't think its sustainable to write the same rule on site A
> core, site A edge, site B edge, site B core. And then managing the address
> book entries on every device also becomes a hassle, making sure its
> all synchronized etc. Is there a better method of doing this?
>
> I don't even want to think about what happens if I want traffic from the
> office to route through site A in order to reach site B in the event of a
> VPN issue between the office and site B directly.
>
> Is there a good method for keeping these things managed, like only having
> the edge firewall for site A manage incoming connections, and let the other
> sites edge firewall deal with site A's outgoing connections, etc?
>
> I'm a mess. If we add two more sites my head might explode.
>
> Morgan
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list