Managing the firewall pool

This section sets out the recommendations on managing a pool of SNS firewalls.

This feature was not part of the security target during the SNS firewall qualification process.

To manage several SNS firewalls, we recommend setting up an administration IS, as this complies with the recommendations in the guide relating to the secure administration of information systems (in line with the Recommendations on the secure administration of information systems - in French). This administration IS should be used in particular to:

• Provide centralized authentication of administrators as described in the chapter Centralized authentication, and the external PKI in compliance with the chapter Using a PKI,

• Access the SNS firewall’s administration services remotely (HTTPS and NSRPC - the relevant tools use TCP port 1300) from administration workstations, in line with the chapter Administration services.

• Forward logs generated by the SNS firewall to the central log server, in line with the chapter Logging and the Security recommendations for the implementation of log systems (in French),

• Allow the passage of monitoring traffic described in the chapter Monitoring, which is exchanged between the SNS firewall and the central monitoring server,

• Forward the SNS firewall’s backup files to the central backup server, in line with the chapter Backup.

The SMC server provided by Stormshield, among others, makes it possible to implement these features. Furthermore, a large pool of SNS firewalls can be easily managed, through the use of specific features such as:

• Folder-based SNS firewall management,

• Use of of filter and translation rule sets,

• Offline SNS firewall configuration,

• Postponement of configuration deployments,

• Scheduling the execution of SNS CLI scripts on a pool,

• etc.