NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Distributed FW/VPN & Mgt Modules

Not quite a fit to use secure server, but thanks.  I
think that I will move the management server to a
public IP that is on a secure segment off of the FW
server and protect it that way.  It will take a lot of
work to reconfigure all of the FW modules that I have
globally to see the new MGT server as the new master,
but as I said, I don't get much feedback.  I'm in
uncharted water.
--- Matthias Leu <[email protected]> wrote:
> Hi,
> I'm sure, you are not the first Administrator
> separating Management and
> Firewall  ;-)
>
> Chris H wrote:
>
> > If I want to move from a single box running both
> the
> > FW/VPN module and Management module to an
> appliance
> > running the FW/VPN module and a separate box
> running
> > the management module, how do I secure the MGT
> server?
>
> Administrators often don't remember, that the
> Management-Module itself is
> no Firewall - but it's very recommended to make this
> machine sure. If an
> attacker "has" the Management of all Firewalls, the
> Administrator has
> lost seriously.
> Maybe Check Point Secure Server is the right choice
> for you. It's like a
> Firewall, but without routing and for securing
> exactly one computer. It
> has to be licensed separately, but the price is not
> soo high and the
> security of the Management should be worth this.
> "Protecting" the Management-Module by hiding it - I
> don't think, this is
> the right way. Just think of internal attackers,
> co-workers in your
> private network...
> Hope it helps,
> best regards,
> Matthias
>
> http://www.fw-1.de
>
> >  If I didn?t run any other FW/VPNs with the all in
> one
> > box I could just put the MGT server on the secure
> side
> > of the FW and NAT the MGT server.  The hitch is
> that I
> > manage and run a bunch of other distributed FW/VPN
> > modules with this all in one box.  So if I change
> the
> > management station to an internal NAT'd IP then
> the
> > remote modules won't be able to be managed without
> the
> > VPN being up first and if the VPN has a problem I
> > can't manage it?  Has anyone done this before?
> How
> > was it handled?  The silence on this question has
> been
> > deafening. I can't be the only one to try this.
> >
> > Thanks
> > Chris
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! GeoCities - quick and easy web site
> hosting, just $8.95/month.
> > http://geocities.yahoo.com/ps/info1
> >
> > ===============================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ===============================================
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================


__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.