Welcome
Welcome to vistafirewallcontrol

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

Discussion: Long-term management strategies

Re: Discussion: Long-term management strategies

Postby NoelC » Tue Feb 16, 2016 5:29 pm

PietO wrote:...as you know the DNS <=> IP translations is not one-to-one in both directions; e.g DNS=>IP depends on actual Server load-distribution and configuration. In order to keep this manageble at firewall ip-level, i saw only one option: define this DNS=>IP translation at host-level fixed...


In all this just recently I had finally realized exactly what you were describing, so thanks for confirming it.
Thanks for sticking with me until I reached my own level of discovery, to where I could understand your approach. :)

Your idea is a good one. Use the just one address, and take the potential risk that the particular server will be offline. But for things like certificate revocation list checks, the system is persistent and retries the operation anyway. With a (e.g., daily) maintaining process setting up a few static entries (thinking of it as longer-term DNS caching) there really isn't a downside.

Now, that being said, it's not hard to think that with even just one address per server the list could STILL grow to be greater than 40 entries. I imagine that the longer a system has been installed the more applications it has installed/run, the more and more complex the list of security operations will get. That pretty much describes all my systems. I only ever install the OS once and maintain them well, and I imagine the certificate lists continue to grow.

I'll go through my rules list again and look for savings where I can reduce some entries to a one to one name-address translation (which will be more manageable anyway). Maybe I'll save enough to have everything fit in the space for 40 entries.

-Noel
NoelC
 
Posts: 62
Joined: Fri Aug 21, 2015 12:59 am

Re: Discussion: Long-term management strategies

Postby NoelC » Fri Feb 19, 2016 6:37 pm

FYI, implementing PietO's approach where multiple server addresses are funneled into one via DNS operations, I've managed to shoehorn everything I need (at least at the moment) to support normal operations into my "SysOps with Security" zone. Total rule count: 36 - so I'm just squeaking by.

Given that this is so close to 40, I'd still appreciate it if you would keep that request to expand the list beyond 40 on the list of things to do if you can.

-Noel
NoelC
 
Posts: 62
Joined: Fri Aug 21, 2015 12:59 am

Previous

Return to Remote/Network/Cloud protection

Who is online

Users browsing this forum: No registered users and 0 guests

cron
suspicion-preferred