Is it possible to manage the Hardware Firewalls ourself and for our clients?
Specifically this would be to avoid the delays and overheads of using Orbit support as well as for the more security conscious clients to check their own configs.
How do we even know we running on a SME570 or a CiscoPIX 501 etc.?
Full Version: Unmanaged Hardware Firewall
I believe the topic of self managed firewall was brought up a while ago but in the end there was no resolution for that.
As for knowing what firewall equipment you got, I doubt The Planet has any reasons to lie about it. They run a pretty much above-board business.
As for knowing what firewall equipment you got, I doubt The Planet has any reasons to lie about it. They run a pretty much above-board business.
Its BS that unmannaged is not offered. How is getting locked out of your software firewall on your server any different to that of the HW FW?
I don't mind signing something that says "we accept full responsibility and you can charge $50 to reset the firewall if we lock ourselves out".
Then there is the fact that I have to wait AT LEAST 12 hours in some cases as the firewall techs only come in at 9am (Dallas time). For international customers it means we can not do firewall changes during business hours.
Not only that, what if a certain IP is hammering your box and you need to block it... oh just wait 12-24 hours.
This just seems to be a pigheaded management decision. I am a customer and have quite a number of servers with TP/SM but just this incident alone has made us consider if we want a long term relationship, if we have to deal with such inflexibility.
I don't mind signing something that says "we accept full responsibility and you can charge $50 to reset the firewall if we lock ourselves out".
Then there is the fact that I have to wait AT LEAST 12 hours in some cases as the firewall techs only come in at 9am (Dallas time). For international customers it means we can not do firewall changes during business hours.
Not only that, what if a certain IP is hammering your box and you need to block it... oh just wait 12-24 hours.
This just seems to be a pigheaded management decision. I am a customer and have quite a number of servers with TP/SM but just this incident alone has made us consider if we want a long term relationship, if we have to deal with such inflexibility.
You may not agree with their decisions but you do not need to be rude about it.
If you want, bring up the issue with The Planet's management and see what they could do for you. I am sure that being a huge customer such as yourself, they would most definitely want to retain you.
If you do not raise your concerns directly to management, they would not know about it.
I am not sure if those firewalls have web interface and if they can be accessed from outside the local network.
If you want, bring up the issue with The Planet's management and see what they could do for you. I am sure that being a huge customer such as yourself, they would most definitely want to retain you.
If you do not raise your concerns directly to management, they would not know about it.
I am not sure if those firewalls have web interface and if they can be accessed from outside the local network.
Well then the escalation procedure needs work, because it took 30 minutes to finally speak to a manager, who basically repeated the same lines the techies were saying.
They didnt want to make a solution either (colo buyout) or compromise in anyway, this is whats making us so angry.
It just doesnt make sense, which I why I suspect there is something we don't know about..
They didnt want to make a solution either (colo buyout) or compromise in anyway, this is whats making us so angry.
It just doesnt make sense, which I why I suspect there is something we don't know about..
I found out that cyberguard (snapgear) does have a web interface but they probably need to give you access to a whole new IP address beyond your range to access it. It is also not that easy to configure and I guess they fear that they probably get more people locked out of their own machine and create a support nightmare and thus rather just allow for us mortals to run them ourselves.
I guess it is also part of security by preventing anyone from the outside access to your firewall hardware. If they expose that IP address, think about anyone could just enter it and make a mess of your security.
I guess it is also part of security by preventing anyone from the outside access to your firewall hardware. If they expose that IP address, think about anyone could just enter it and make a mess of your security.
QUOTE (eddy2099)
I found out that cyberguard (snapgear) does have a web interface but they probably need to give you access to a whole new IP address beyond your range to access it. It is also not that easy to configure and I guess they fear that they probably get more people locked out of their own machine and create a support nightmare and thus rather just allow for us mortals to run them ourselves.
I guess it is also part of security by preventing anyone from the outside access to your firewall hardware. If they expose that IP address, think about anyone could just enter it and make a mess of your security.
I guess it is also part of security by preventing anyone from the outside access to your firewall hardware. If they expose that IP address, think about anyone could just enter it and make a mess of your security.
The added "support nightmare" argument has already been refuted:
- Users can already lock themselves out with custom, wierd software firewalls running on their servers, of which the techs are even more unfamiliar with.
- Add a "I accept responsibility" clause and charge $50 for screwups.
Regarding exposing the IP, again moot point since it still requires encrypted username/password to enter. How is it different from Remote Desktop?
Software firewall can be resetted or removed since the admin can log in as local mode to remove them. Hardware firewall is outside of the system and may not be that easily handled. No idea, have not tried it before.
Do you have experience with the Snapgear Firewall before ? Maybe you could impart your knowledge on managing it.
You might accept responsibility to be charged $50 for each reset but are others willing to pay that ?
Remote Desktop is the access to the server while a Firewall hardware is supposed to be a security device, RDC is merely a means to access the server. If the firewall can be easily exposed and foil then where is the protection ? No access means totally no way of breaking into the firewall layer, right ?
Do you have experience with the Snapgear Firewall before ? Maybe you could impart your knowledge on managing it.
You might accept responsibility to be charged $50 for each reset but are others willing to pay that ?
Remote Desktop is the access to the server while a Firewall hardware is supposed to be a security device, RDC is merely a means to access the server. If the firewall can be easily exposed and foil then where is the protection ? No access means totally no way of breaking into the firewall layer, right ?
QUOTE (eddy2099)
Software firewall can be resetted or removed since the admin can log in as local mode to remove them. Hardware firewall is outside of the system and may not be that easily handled. No idea, have not tried it before.
Not true, the software firewall can lockout all access requiring a tech to physically go to a machine, login using the keyboard, and figure out howto disable the firewall. HW firewall is the same just easier, go there and press the factory default reset switch.
QUOTE (eddy2099)
Do you have experience with the Snapgear Firewall before ? Maybe you could impart your knowledge on managing it.
Yes we are providing full instructions, its taking too long for the techs to respond.
QUOTE (eddy2099)
You might accept responsibility to be charged $50 for each reset but are others willing to pay that ?
No-one says they have to take the unmanged option!
Like I said earlier, why don't you bring this issue up to the top management end at The Planet. I am sure being a huge customer such as yourself, they would be more than willing to work with you on this. Maybe not an option for everyone but a customized solution for you.
QUOTE (eddy2099)
Like I said earlier, why don't you bring this issue up to the top management end at The Planet. I am sure being a huge customer such as yourself, they would be more than willing to work with you on this. Maybe not an option for everyone but a customized solution for you.
Done, just spoke with a VP who was very helpful and accommodating, ie the kind of service we would expect
So all seems well now.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.