Re: [fw-wiz] Firewalls Compared

From: Paul D. Robertson (
Date: 06/22/04

  • Next message: Steffen Kluge: "Re: [fw-wiz] Sun/Solaris Checkpoint FW-1 Question"
    To: Devdas Bhagat <>
    Date: Tue, 22 Jun 2004 17:43:18 -0400 (EDT)

    On Wed, 23 Jun 2004, Devdas Bhagat wrote:

    > Thinking about it a bit more, I guess that what I am saying is that
    > people who actually follow BCP are collateral damage. *That* is not
    > appreciated.`

    Sure, the same was true of the phone system before OOB signaling became
    common- though abuse wasn't quite so widespread.

    > > Sure, but if you have end-to-end QoS, you can potentially allow things
    > > per-flow once you move control out of band. QoS allows you to do things
    > One packet establishes a flow? The router in the middle dies.

    The RADB stuff has been pretty good for tracking DDoS stuff, and I think
    is a good groundwork for further out of band control- most times you don't
    transit more than 5 networks to get to an endpoint, the real question is
    can we scale the flow stuff, and if so where? Maybe per-destination AS in
    aggregate would work... Don't get me wrong, we're not there- but I think
    we have most of the groundwork in bits and pieces, we just need to either
    swap out or fix layer 2 (swapping for something like DWDM would be nice,
    with control channel signaling somewhere in the mix, but I think we can
    get by without it.)

    > > > like allow a routing arbiter to get through, or even
    > > authentication/authorization traffic like the tagged packet "marker dye"
    > > stuff.
    > Yeah. But that doesn't let the user work.

    Hrm, I thought the marker dye stuff worked pretty well, and it definitely
    doesn't impact the users one bit, since it's out of band origin
    information. I fact, I think it's one of the more novel things Cisco's

    > > It could if you did QoS on the switch- you just have to be able to policy
    > > QoS out to the leaf nodes, where the bandwidth matters. More integrated
    > Again, we are speaking of home users on broadband. What switch?

    In that case, the leaf node for their provider, furthest downstream is

    > I agree with your point. I pointed out one more solution.
    > Though a Linux box with OS and apps in ROM would be interesting.

    If it's upgradeable, it's likely to be abusable though...

    > <snip>
    > > In my experience, it's been more ignorace that they *could* set the
    > > firewall up that way or lack of power to set it up that way.
    > Different locations, different perspectives :).
    > The cost of the system is a very large factor in influencing firewall
    > purchases.

    I suppose in some places that's an issue, cheap boxes here have changed
    the equation for getting a firewall, they just haven't changed the
    equation for actually configuring one well...

    From a strategic perspective, I'm much more worried about bad actors and
    intruders than worms, I see worms as tactical, Exec-shield, NX, and other
    things will evolve to handle them, just as AV evolved to handle macro
    viruses, which were a huge issue at one point.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation
    firewall-wizards mailing list

  • Next message: Steffen Kluge: "Re: [fw-wiz] Sun/Solaris Checkpoint FW-1 Question"