P-1--(i)Pix(o)--Internet--(o)Router(i)--CP_FW--LAN_X
Both the router and the CP Firewall have public IP.
I have a P-1 with RFC-1918 address space like 192.168.0.0/24
with the leading interface IP 192.168.0.1. This P-1 will
have about 250 CMAs in there and it will manage about 500
Nokia firewalls over the Internet.
The way I understand it, the communication between the CMA
and the firewall is through SIC and it is encrypted with 128
bits ssl encryption. I guess this is enough in about 90%
of the situation.
However, I am thinking in situation that requires additional
security for managment traffic between the firewall and the CMA,
I want to build a IPSec VPN tunnel between the Pix and the
Cisco router so that the CP firewall can communicate with
the P-1/CMA through a secure VPN tunnel. This will allow
the management traffic (which is already encrypted with
SSL encryption) to ride inside an AES-256/SHA/DH-5 IPSec
tunnel.
For those who work in the Managed Security Services, how
do you normally manage Customer remote firewalls? Does my
approach seem sound or is it completely unnecessary?
TIA
cisco4ng
---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates
starting at 1¢/min.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
