Re: [fw-wiz] Firewalls Compared
From: Paul D. Robertson (paul_at_compuwar.net)
To: Devdas Bhagat <firstname.lastname@example.org> Date: Tue, 22 Jun 2004 17:43:18 -0400 (EDT)
On Wed, 23 Jun 2004, Devdas Bhagat wrote:
> Thinking about it a bit more, I guess that what I am saying is that
> people who actually follow BCP are collateral damage. *That* is not
Sure, the same was true of the phone system before OOB signaling became
common- though abuse wasn't quite so widespread.
> > Sure, but if you have end-to-end QoS, you can potentially allow things
> > per-flow once you move control out of band. QoS allows you to do things
> One packet establishes a flow? The router in the middle dies.
The RADB stuff has been pretty good for tracking DDoS stuff, and I think
is a good groundwork for further out of band control- most times you don't
transit more than 5 networks to get to an endpoint, the real question is
can we scale the flow stuff, and if so where? Maybe per-destination AS in
aggregate would work... Don't get me wrong, we're not there- but I think
we have most of the groundwork in bits and pieces, we just need to either
swap out or fix layer 2 (swapping for something like DWDM would be nice,
with control channel signaling somewhere in the mix, but I think we can
get by without it.)
> > > like allow a routing arbiter to get through, or even
> > authentication/authorization traffic like the tagged packet "marker dye"
> > stuff.
> Yeah. But that doesn't let the user work.
Hrm, I thought the marker dye stuff worked pretty well, and it definitely
doesn't impact the users one bit, since it's out of band origin
information. I fact, I think it's one of the more novel things Cisco's
> > It could if you did QoS on the switch- you just have to be able to policy
> > QoS out to the leaf nodes, where the bandwidth matters. More integrated
> Again, we are speaking of home users on broadband. What switch?
In that case, the leaf node for their provider, furthest downstream is
> I agree with your point. I pointed out one more solution.
> Though a Linux box with OS and apps in ROM would be interesting.
If it's upgradeable, it's likely to be abusable though...
> > In my experience, it's been more ignorace that they *could* set the
> > firewall up that way or lack of power to set it up that way.
> Different locations, different perspectives :).
> The cost of the system is a very large factor in influencing firewall
I suppose in some places that's an issue, cheap boxes here have changed
the equation for getting a firewall, they just haven't changed the
equation for actually configuring one well...
From a strategic perspective, I'm much more worried about bad actors and
intruders than worms, I see worms as tactical, Exec-shield, NX, and other
things will evolve to handle them, just as AV evolved to handle macro
viruses, which were a huge issue at one point.
Paul D. Robertson "My statements in this message are personal opinions
email@example.com which may have no basis whatsoever in fact."
firstname.lastname@example.org Director of Risk Assessment TruSecure Corporation
firewall-wizards mailing list