Abstract - Technical Program - NETA 99
Just Type Make! Managing Internet Firewalls Using Make and Other
Publicly Available Utilities
Sally Hambridge, Charles Smothers, Tod Oace, and Jeff Sedayao, Intel
Managing Internet firewalls that can failover between each other is
quite a challenge. When those firewalls are geographically dispersed and
have a small number of people to be maintain them, it becomes even more
challenging. Intel Corporation has a small staff that manages several
geographically dispersed Internet firewalls with failover requirements.
These firewalls use a standard screened subnet architecture  with
packet filtering inner and outer firewall routers and a number of
bastion hosts between them. These bastion hosts provide services with
load balancing and disaster recovery for relaying SMTP mail, answering
DNS queries, and proxying web requests. To manage this complex system of
firewalls, Intel's Internet Connectivity Engineering staff have come up
with a way to model all of the interrelated firewall as one distributed
system. Host and router configurations are considered source to that
system and compilation and installation of that source is driven by the
Make  utility. Packet filtering Access Control Lists (ACLs) are built
by a Makefile. The Makefile assembles the ACLs and executes an Expect
 script that installs them. We configure bastion hosts by configuring
Make to drive rdist, which run over the secure shell (SSH) .
In this way, only updated files are pushed out to the bastion hosts and
passwords and other configuration information do not go in the clear.
Our experiences with Make and these publicly available utilities are
quite good - allowing us to manage a large distributed set of firewall
devices. Using a Make driven approach requires much discipline, however,
to avoid the distribution of bad configurations. Future plans include
ACL optimization and sanity tests before and after bastion host
- View the full text of this paper in
- If you need the latest Adobe Acrobat Reader, you can download it
- To become a USENIX Member, please see our Membership Information.