Lesson 12: Managing Your Security Policy for Disaster Recovery

Prof Wool: Firewall Management 201 | Lesson 12: Managing Your Security Policy for Disaster Recovery Subscribe

In this lesson Professor Wool discusses ways to ensure that your security policy on your primary site and on your disaster recovery (DR) site are always sync. He presents multiple scenarios: where the DR and primary site use the exact same firewalls, where different vendor solutions or different models are used on the DR site, and where the IP address is or is not the same on the two sites.

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

hello welcome to our lesson i'm professor wall today we're going to be talking about managing your security policy for disaster recovery so you're planning for a contingency where your primary site might be hit by some catastrophe and you need to be able to have your organization function under those conditions so you're building up a dr site in another city another continent and you're replicating your equipment from your primary site to your dr site and as part of that you're also replicating your network security infrastructure so let's assume that in the brown here we have the primary side with the router and some firewalls and servers sitting behind it and then in your orange site which is the dr site you replicate the same structure you also have the equivalent routers and firewalls and everything is set up in the disaster recovery site as well but just putting together the equipment is not enough because all of these devices have security policy in them and policy changes so whenever you make a change to the Polish security policies in the primary site you need to make sure that an equivalent or matching change is made to the policies of the matching devices in the dr site you somehow need to create a linkage between the siblings on both sides between the primary and the dr so how do you do that really depends on what sort of equipment you have and how you set things up but in general it's not in not always an easy proposition one way to do it is if you have on both sides you have exactly the same equipment from the same vendor and that vendor is one of the vendors that offers good Harmel management systems and some are and some are not if you are in a position where you're using such a firewall management system from a vendor and you have homogeneous equipment across sites then you can have the same policy installed over here and over here with the same policy same file name when you make a change once in the firewall management system and the vendor system automatically pushes out to change the same change to the two sides and then they remain insync through all the policy changes if you don't have such a good firewall management system that synchronizes your sites like this or if for some reason you opted for having multiple vendors so your secondary your disaster recovery site uses equipment from a different vendor maybe a lower-cost environment maybe you're using a different model over on the dr site you have virtualized firewalls and over the primary you have traditional devices maybe they're not the same and the policy is not identical and especially if the the vendors are different than installing policy on firewall to over here the rules will look completely different when you try to install them on on the dr firewall because it's a different language so you need to have some kind of conversion that maintains the meaning of the rule but the syntax will look quite different so you need a system that will help you synchronize these things of course the last thing that you need to consider is are the server IP address is the same so you might be in a situation where you're you maintain exactly the same IP addresses in the primary and in the secondary maybe there are private IP addresses and you switch over using some kind of DNS mapping if you do that then the rules you install in the primary and the secondary are going to be identical exactly the same IP addresses will be used however if you're not doing that and you have a mapping between IP addresses in the primary to IP addresses in the secondary then the rule you're going to install on the secondary is going to look different it's going to have the mapped IP addresses in it so you cannot just blindly install the same policy in both places you need to tweak it to match the mapped IP addresses which makes the process even more complex to handle the point I'm trying to make though is you need to think of this through when you're putting together your dr site because if you neglect these things and the policies in both sides go out of sync then if the undesirable happens and the earthquake hits your primary site when you switch over to the secondary things will not work properly because the devices will not be configured as they need to thank you for your attention

Videos

Prof Wool: Firewall Management 201 | Lesson 12: Managing Your Security Policy for Disaster Recovery Subscribe

Related videos

Lesson 15: How to Synchronize Object Management with a CMDB

Lesson 16: How to Take Control of a Firewall Migration...

Lesson 14: Synchronized Object Management in a...

Sharing Network Security Information with the Wider IT...