Re: Managing large number of rules - John A. Sullivan III

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: Brett Simpson <Simpsonb@hillsboroughcounty.org>
Cc: netfilter@lists.netfilter.org
Subject: Re: Managing large number of rules
Date: Thu, 03 Jun 2004 11:18:13 -0400	[thread overview]
Message-ID: <1086275893.3189.13.camel@localhost> (raw)
In-Reply-To: <s0bf002f.044@GroupWise>

On Thu, 2004-06-03 at 10:40, Brett Simpson wrote:
> For those who have a large number (1000 or more) of Iptables rules how are you managing them?
> 
> Do you hand edit the rules or do you use a management gui (i.e. FwBuilder)?
> 
> Brett
I'll mention two items.  First, I always make sure I use the
iptables-restore files and syntax lest loading large rule sets create a
seemingly interminable bootup.

Second, this is exactly the impetus behind the ISCS project
(http://iscs.sourceforge.net).  The need was to handle the potentially
thousands of rules on hundreds and thousands of devices in order to
implement sophisticated, inter and intra office/partner security.  When
attempting to implement Internet style access controls internally to
achieve compartmentalization and a multi-layered defense, the size,
complexity and rate of change of the rule sets skyrocket.  Moreover, one
must manage this complexity without interfering with the NAT, VPN and
routing rules or the existing firewall rules.  Finally, the cost of
managing the complexity must not drive the cost of such multi-layered
security beyond a justifiable expense.

We've achieved these goals in a real world, multi-client distributed
managed service organization including a 90% reduction in the cost of
managing security using a no longer available proprietary product.  ISCS
is an open source replacement that achieves even better results using
completely original code.

Basically, the administrator describes the overall flow of information
and the desired security and the ISCS automatically generates and
distributes a consistent,properly ordered firewall/NAT/VPN/Router rules
set.  This is something beyond even the most expensive commercial tools
like Solsoft, SmartPipes or the global managers available from
NetScreen/Checkpoint/etc.

I would not dream of implementing the kind of security we did at Nexus
Management (http://www.nexusmgmt.com) without such a tool.  We are
between 2/3 and 3/4 of the way to our first release.  If anyone wants to
help with either time or money, we can use all the help we can get for
such an enormous project - John
-- 
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevelopmentcorp.com

     prev parent reply	other threads:[~2004-06-03 15:18 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-06-03 14:40 Managing large number of rules Brett Simpson
2004-06-03 15:18 ` John A. Sullivan III [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1086275893.3189.13.camel@localhost \
    --to=john.sullivan@nexusmgmt.com \
    --cc=Simpsonb@hillsboroughcounty.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.