MDM Architecture – Part Tre III

Yesterday while jogging I was listening to RadioLab on Godel’s incompleteness theorem and the Barber Theorem. Basically what is the basis of all math: numbers or sets. Answer: Basically there is no answer.

Same with MDS’s. What is the basis of MDS’s….while Godel might say there is no answer it doesn’t prevent me from taking a whack at it.

The answer is: Objects.

Done deal. That wasn’t so hard. Am I the next Godel now?

For those of you who haven’t arrived at this conclusion I guess I’ll drool on for a bit.

Let’s look at what we have in an MDM system:

  • Objects: used to create policies
  • Policies: use objects to make rules
  • Firewalls: enforce rules on security zones
  • SmartCenters: Hold local policy and objects and apply to firewalls
  • MDSs: Hold global policy and objects and apply to SmartCenters

Do you see a pattern? Nice little hierarchy huh?

Who cares?

Well, if you are a large enterprise and you are hitting the 250 limit on MDS’s, how are you going to organize/group your MDM architecture?

Objects.

  1. Determine your security zones (refer to my MDM Part II)
  2. Find common set of zones that share a huge swath of OBJECTS
  3. Group those zones into a Domain/SmartCenter and develop policies from those common OBJECT. Common rule of thumb is 10-15 policies per Domain/SmartCenter. Make sure you use the APPLYTO field so that the policies get loaded onto the right firewall (s).
  4. MDS Prime Directive: NEVER use global objects in local rules. So in a similar vein build MDSs around groups of global objects. For example: If you are international and you have a MDS for each country or region (North America), then build global objects for your SNMP mgr – g_NA_snmp_mgr.
  5. Build global policies from those global objects.
  6. Apply those global policies to a group of Domains. How big the group? Currently MDS starts creaking at 100 Domains but can hold up to 250.

The above process was built with the known limitations of MDS in mind:

  • MDS Prime directive
  • Can’t delete global objects used in local rules
  • MDS limit of 250 domains, avg of 100 domains
  • SmartCenter’s human administrative support limit of 10-15 policies

If these physical limits change with the advance of GAIA, I may revise the above process.

Well, time for a jog and more RadioLab. Maybe it will inspire my next MDM Nobel prize.

Later MDM geeks,

dreezman

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: