[fmac-discuss] Zones and Flask
Bill Sommerfeld
sommerfeld at sun.com
Fri Apr 18 15:44:50 PDT 2008
On Fri, 2008-04-18 at 14:05 -0700, Alan DuBoff wrote:
> I would like to hear what type of ideas you might have for policy
> management.
I have a lot of what I'd characterize as half-baked ideas that I need to
spend more time on once my current project is further along.
There are a bunch of avenues I think are worth exploring:
1) extending the tn*db databases (especially the templates) with a
mechanism to also distribute IPsec SPD and IKE PAD rules.
2) decoupling policy from ip addresses, by instead tying it to
attributes associated with node and/or user authentication credentials.
(This would potentially greatly reduce the number of SPD rules, leaving
you with much less to manage).
3) specialized higher-level tools to generate the configuration for
specific combinations of systems (for instance, a fully-connected mesh
of security gateways).
More information about the fmac-discuss
mailing list