[isapros] Re: ISA Rule Names

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: <isapros@xxxxxxxxxxxxx>
• Date: Wed, 16 May 2007 06:51:13 -0700

You should *never* translate your CP rules directly to ISA policies.
Yes, it's simple and yes, it's often effective, but FSM, it's
un-freakin'-manageable!  Even with the network you describe, I'll bet
with a little time & effort you could reduce the rule set to a couple
hundred at most, even without AD groups.

Ex: MS operates an "ISP-like thingy" for employees, where they can
operate their own web, mail, media, etc. services.  I recently helped
them migrate their firewall from a CP (their "OLD" net admin finally
left) to ISA 2006 and we took a 200+ rule set down to 15, and even then,
there are several I still think they don't need.  They kept many of them
because they just weren't sure what was needed yet.  Let's just say his
documentation wasn't all that spiffy.

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Greg Mulholland
Sent: Tuesday, May 15, 2007 10:16 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Rule Names

OK maybe I exaggerate a little but it is in the thousands. Its actually
a cp
setup which could one day move to isa if we feel like a driving a hole
through our head. we have 12 offices, each one of them with their own
requirements, most of them running multiple DMZ's with tens of machines
in
each exposing web stuff, interoffice rules (despite steves suggestion of
an
allow all rule). Then there are multiple guest wireless LANs in most
sites,
lab networks, one site alone has 8 supernetted subnets. The rulebase has
the
entire cp mesh in it, all 12 firewalls. And then there's is all the
clients
rules we have too generally for support.



-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On
Behalf Of Jim Harrison
Sent: Wednesday, 16 May 2007 12:33 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Rule Names

4000 rules is absurd.
Someone isn't paying attention to what they're creating.
I'll bet Steve's next lovin' that these could be reduced to less than
1/10 of their current quantity, given a proper review...

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Tuesday, May 15, 2007 3:56 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Rule Names

OK...list them all...:P

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Greg Mulholland
Sent: Tuesday, May 15, 2007 7:54 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Rule Names

 

Indeed and I wouldn't even consider that large..compared to other larger
businesses

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Wednesday, 16 May 2007 8:49 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Rule Names

 

4000 rules....lol

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Greg Mulholland
Sent: Tuesday, May 15, 2007 7:37 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Rule Names

 

I guess it kind of is but I still think of it as a potential improvement
to the overall we display rules, but that's great to know Jim I look
forward to it!

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, 15 May 2007 11:03 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Rule Names

 

Maybe I'm listening with the wrong eye, but this sounds like two
different questions?

"What naming convention works for you?" is a bit different than "I want
to find out what rules apply to <blah>"...

 

As far as rule names, keep it short, but clear.  This way, it makes
sense on first glance.  Details should be in the "Description" field.

We're working on a "rule-alyzer" that should make Greg (and many others)
happy, but no firm release date yet.

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Greg Mulholland
Sent: Tuesday, May 15, 2007 3:55 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ISA Rule Names

 

Jason

 

I have been waiting for an easier way to handle large rulesets in ISA
for a few releases now. Im praying 2008 holds the key. I  would like the
filtering or sorting of rules to be a little better so I can find what I
am looking for without having to go through 4000 rules to find what im
looking for.

 

I generally try to give as concise a name but whilst still providing me
the info of what the rule does without having to open it up. I'd also
like to know how other places do it. Ive seen it work in "dare I say it"
checkpoint and there rule filtering is great!

 

Tom, Jim, im sure you cant say but will there be any
improvements/changes on this front in 2008. A nod or a wink will
suffice! 

 

Greg

 

From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jason Jones
Sent: Tuesday, 15 May 2007 8:07 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] ISA Rule Names

 

Hi All,

Quick off the wall question...

I was wondering if any of you use some form of system for naming ISA
rules. As you can imagine, in a complex environment it is often quite
easy to get to a large number of rules and hence the actual rules name
become more important to understating which rule does what .

Up until now, I have always used quite wordy names like 'Allow Access
from Exchange Frontend Servers to Exchange backend Servers' or similar.
I have also used prefixes like 'Inbound:' or 'Outbound:' or
'Management:' to try and give a basic indicator to the rule purpose.

Am I better having simple rule names (maybe based upon application or
function?) and do all the wordy stuff in the rule description field???

Any comments or suggestions would be really welcome, especially from
people who have used ISA with large rule sets, maybe for big company
edge ISA firewall. How do MS do it for their edge ISAs??

I know it is not that important at the end of the day, but just curious
for feedback...

Thanks

JJ

All mail to and from this domain is GFI-scanned.


All mail to and from this domain is GFI-scanned.





All mail to and from this domain is GFI-scanned.

• Follow-Ups:
  • [isapros] Re: ISA Rule Names
    • From: Greg Mulholland

• References:
  • [isapros] ISA Rule Names
    • From: Jason Jones
  • [isapros] Re: ISA Rule Names
    • From: Greg Mulholland
  • [isapros] Re: ISA Rule Names
    • From: Jim Harrison
  • [isapros] Re: ISA Rule Names
    • From: Greg Mulholland
  • [isapros] Re: ISA Rule Names
    • From: Steve Moffat
  • [isapros] Re: ISA Rule Names
    • From: Greg Mulholland
  • [isapros] Re: ISA Rule Names
    • From: Steve Moffat
  • [isapros] Re: ISA Rule Names
    • From: Jim Harrison
  • [isapros] Re: ISA Rule Names
    • From: Greg Mulholland

Other related posts:

• » [isapros] ISA Rule Names
• » [isapros] Re: ISA Rule Names
• » [isapros] Re: ISA Rule Names
• » [isapros] Re: ISA Rule Names
• » [isapros] Re: ISA Rule Names
• » [isapros] Re: ISA Rule Names
• » [isapros] Re: ISA Rule Names
• » [isapros] Re: ISA Rule Names
• » [isapros] Re: ISA Rule Names
• » [isapros] Re: ISA Rule Names
• » [isapros] Re: ISA Rule Names
• » [isapros] Re: ISA Rule Names
• » [isapros] Re: ISA Rule Names
• » [isapros] Re: ISA Rule Names
• » [isapros] Re: ISA Rule Names
• » [isapros] Re: ISA Rule Names

1. Home
2. isapros
3. Archive
4. 05-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---