Some MS providers require a site to site VPN for access to any customer
devices. I think it makes good sense. True you get the SSL tunnel between CMA
and FW but the additional tunnel allows you to do things like monitoring, use
of the RFC IP space(no NAT complications from doing static on the CMA), backup
and log retrieval(backups on the Nokia's could be automated and sent through
ftp) and so on.
-GS
-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of cisco4ng
Sent: Friday, September 22, 2006 6:43 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Communication between CP firewall and CMA over IPSec tunnel
P-1--(i)Pix(o)--Internet--(o)Router(i)--CP_FW--LAN_X
Both the router and the CP Firewall have public IP.
I have a P-1 with RFC-1918 address space like 192.168.0.0/24
with the leading interface IP 192.168.0.1. This P-1 will
have about 250 CMAs in there and it will manage about 500
Nokia firewalls over the Internet.
The way I understand it, the communication between the CMA
and the firewall is through SIC and it is encrypted with 128
bits ssl encryption. I guess this is enough in about 90%
of the situation.
However, I am thinking in situation that requires additional
security for managment traffic between the firewall and the CMA,
I want to build a IPSec VPN tunnel between the Pix and the
Cisco router so that the CP firewall can communicate with
the P-1/CMA through a secure VPN tunnel. This will allow
the management traffic (which is already encrypted with
SSL encryption) to ride inside an AES-256/SHA/DH-5 IPSec
tunnel.
For those who work in the Managed Security Services, how
do you normally manage Customer remote firewalls? Does my
approach seem sound or is it completely unnecessary?
TIA
cisco4ng
---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates
starting at 1¢/min.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
