Keys to resetting firewalls

Source: Internet
Author: User
Tags manual readable cisco asa 5505 firewall

Compared with routers, switches and other network devices, hardware firewalls are no different. They also have a not long life cycle, in a few years will be replaced. But compared with other devices, the replacement of the firewall is good to do is a very troublesome thing, do not good will also bring security risks to the network.

For small and medium-sized Enterprises, one of the many responsibilities that a network administrator or system administrator undertakes when managing a firewall. Therefore, as an IT technician, you should at least know the internal structure of the firewall. In general, the operation of the firewall is intermittent, such as the addition of new applications on the corporate network, or the addition of new servers, the firewall needs to be properly configured. This occasional job is not a problem for the day-to-day work, but for more complex, in-depth work, such as replacing a manufacturer's firewall with another vendor's product, or upgrading from a low-end product to a high-end product, the process is more demanding for it technicians.

There are many issues involved in upgrading firewalls, some are simple and straightforward, others are complicated, but no matter what, there are many things to consider.

Figure A

For example, the Operation manual for Cisco ASA 5505 (Figure A) has 114 pages. This situation is not only unique to Cisco products, Welch-abernathy's 656-page Essential Checkpoint Firewall (2004) manual was rated by Amazon's reviewers as "the most suitable for novice learning" manual.

I recently interviewed Rich Gallo, a system administrator for a small technology enterprise, who has just upgraded a company firewall. In the interview, he provided a list of very long upgrades to fire precautions. The rough view is divided into seven major categories, as shown in Figure B.

Figure B

The main problems encountered by Gallo include the unused external IP addresses previously set up by ISP Verizon, and the coordination with the remote office subnet. Two technical staff work together undoubtedly can greatly reduce the firewall manual migration process error probability.

Firewall upgrades, but also the router cable rearrangement, switch mobile location, adjust bandwidth allocation or rearrange the cabinet good time.

Good testing is a necessary environment, and tests include not only connectivity testing, but also application testing. For example, public-facing network applications must be tested from both intranet and extranet environments, and special test tools or software are used when necessary. You should also carefully examine the contingency plan and the recovery plan, just in case.

VPNs are a special case and may affect firewall rule settings. In Gallo companies, there is a need to pay special attention to VPN connections to sites. Also, when setting up a VPN, pay attention to the problem of a particular customer, because it supports both x32 and x64, Mac, Windows and Linux system platforms, and users in a variety of environments. For example, in the setup process found a Snow leopard system can not be the correct VPN connection. The administrator finally solves the problem by collecting various aspects of information and DNS records.

Firewall rules are the core capabilities of the firewall, but the old and new firewalls may have a big difference in the setting of the rules. These differences can be recorded in document form, delete unwanted rules, and run new rules through the program manager. Firewall rules should be in the same machine-readable firewall-specific format, as well as written in clear readable format.

The new firewall affects the log as well as the warning process. Therefore, you should plan to upgrade warnings and log readers so that you can respond to new warnings and enable Security Analyzer and other similar programs to work properly.

There is a lot of work to do when upgrading a firewall. It is possible to have firewall licenses that support DMZ issues, to handle special problems with e-mail servers, or to set up additional logic rules to support a remote office. And this list can basically simulate the problems you consider when facing a firewall upgrade and the order of the problems.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.