secure remote management

secure remote management

[Emre CELEBİ]

Hi,
im in responsible for managing 6 iptables firewalls with all in different locations, normally i use ssh and scripting to manage those boxes -and very happy at the moment -.but unfortunetly my firewall rules are going to be too long and compilcated and also -cause of customers checkpoint habits - im requied to documantate the rules regularly in an object oriented shame like in fwbuilder - which i know have no remote access.
What i want is to securely manage my iptables remotely and need a tool for this (with a web interface, or a java interface cause clever customers also want to see them in an interface not with vi or not with ssh login and  a X-forwarding.)
Im trying to decide whether i use Webmin iptables module or bifrost tool but hesitating about their security issues.
wondering if there are any other netfilter users who manage their boxes remotely with an interface and want to hear their opions and security experiences.
thanks in advance.

Emre CELEBI


-- 
_______________________________________________
Get your free email from http://www.mail.com

Re: secure remote management

[Unknown, Alistair Tonner]

On January 24, 2004 08:22 am, Emre CELEBİ wrote:
> Hi,
> im in responsible for managing 6 iptables firewalls with all in different
> locations, normally i use ssh and scripting to manage those boxes -and very
> happy at the moment -.but unfortunetly my firewall rules are going to be
> too long and compilcated and also -cause of customers checkpoint habits -
> im requied to documantate the rules regularly in an object oriented shame
> like in fwbuilder - which i know have no remote access. What i want is to
> securely manage my iptables remotely and need a tool for this (with a web
> interface, or a java interface cause clever customers also want to see them
> in an interface not with vi or not with ssh login and  a X-forwarding.) Im
> trying to decide whether i use Webmin iptables module or bifrost tool but
> hesitating about their security issues. wondering if there are any other
> netfilter users who manage their boxes remotely with an interface and want
> to hear their opions and security experiences. thanks in advance.
>
> Emre CELEBI


	Where I've used webmin in the past, I've changed the port that
	it listens on, and filtered access to that port to a specific list of ips.
	Given some configuration, it can be relatively secure.  
	Question -- you don't want to do X11 forwarded sessions because? .. 
	at a guess the users want to be able to see the rules from a winders 
	box downstream from the firewall?  -- at that point I can ses why ..
	webmin is a bit of overkill for this, but is granular enough that you
	can let your clients review the firewall rules and not allow them to 
	muck with them too much.
	
	There is a java project you might look at: http://sourceforge.net/projects/jwall
	but I've never used it -- I do know one person who has and finds it useful,
	how useful it would be for you I don't know.

	Alistair

Re: secure remote management

[Emre CELEBİ]

 
> 	Where I've used webmin in the past, I've changed the port that
> 	it listens on, and filtered access to that port to a specific list of ips.
> 	Given some configuration, it can be relatively secure.  
> 	Question -- you don't want to do X11 forwarded sessions because? .. 
> 	at a guess the users want to be able to see the rules from a winders 
> 	box downstream from the firewall?  -- at that point I can ses why ..
> 	webmin is a bit of overkill for this, but is granular enough that you
> 	can let your clients review the firewall rules and not allow them to 
> 	muck with them too much.
> 	
> 	There is a java project you might look at: http://sourceforge.net/projects/jwall
> 	but I've never used it -- I do know one person who has and finds it useful,
> 	how useful it would be for you I don't know.
> 
> 	Alistair
> 
Yeah, yur right cause users want to see the rules and logs in a windows enviroment, i also offered the Cygwin installation for ssh-X tunneling but oofff they are the bosses man they love IE!!. its easy for logs with php#mysql and using log analyzer and get custom reports but when it comes to rules im really scared. Also i tried JWall but it seems still pre-mature as i tested some rule genarating operations and it unfortunely produces wrong scripts for iptables (will contack the developer for this,) but i admire that jwall as it aims to be able to manage remotely IDS and firewall in a secure GUI env. cool for ones like me who tries to satisfy the unsatisfied MS users and also can scripting to check that gui outputs.

Emre.




-- 
_______________________________________________
Get your free email from http://www.mail.com