Re: [fw-wiz] Firewalls Compared

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 06/22/04

  • Next message: Steffen Kluge: "Re: [fw-wiz] Sun/Solaris Checkpoint FW-1 Question"
    To: Devdas Bhagat <devdas@dvb.homelinux.org>
    Date: Tue, 22 Jun 2004 17:43:18 -0400 (EDT)
    
    

    On Wed, 23 Jun 2004, Devdas Bhagat wrote:

    > Thinking about it a bit more, I guess that what I am saying is that
    > people who actually follow BCP are collateral damage. *That* is not
    > appreciated.`

    Sure, the same was true of the phone system before OOB signaling became
    common- though abuse wasn't quite so widespread.

    > > Sure, but if you have end-to-end QoS, you can potentially allow things
    > > per-flow once you move control out of band. QoS allows you to do things
    > One packet establishes a flow? The router in the middle dies.

    The RADB stuff has been pretty good for tracking DDoS stuff, and I think
    is a good groundwork for further out of band control- most times you don't
    transit more than 5 networks to get to an endpoint, the real question is
    can we scale the flow stuff, and if so where? Maybe per-destination AS in
    aggregate would work... Don't get me wrong, we're not there- but I think
    we have most of the groundwork in bits and pieces, we just need to either
    swap out or fix layer 2 (swapping for something like DWDM would be nice,
    with control channel signaling somewhere in the mix, but I think we can
    get by without it.)

    > > > like allow a routing arbiter to get through, or even
    > > authentication/authorization traffic like the tagged packet "marker dye"
    > > stuff.
    > Yeah. But that doesn't let the user work.

    Hrm, I thought the marker dye stuff worked pretty well, and it definitely
    doesn't impact the users one bit, since it's out of band origin
    information. I fact, I think it's one of the more novel things Cisco's
    tried.

    > > It could if you did QoS on the switch- you just have to be able to policy
    > > QoS out to the leaf nodes, where the bandwidth matters. More integrated
    > Again, we are speaking of home users on broadband. What switch?

    In that case, the leaf node for their provider, furthest downstream is
    preferable.

    > I agree with your point. I pointed out one more solution.
    > Though a Linux box with OS and apps in ROM would be interesting.

    If it's upgradeable, it's likely to be abusable though...

    > <snip>
    > > In my experience, it's been more ignorace that they *could* set the
    > > firewall up that way or lack of power to set it up that way.
    > Different locations, different perspectives :).
    > The cost of the system is a very large factor in influencing firewall
    > purchases.

    I suppose in some places that's an issue, cheap boxes here have changed
    the equation for getting a firewall, they just haven't changed the
    equation for actually configuring one well...

    From a strategic perspective, I'm much more worried about bad actors and
    intruders than worms, I see worms as tactical, Exec-shield, NX, and other
    things will evolve to handle them, just as AV evolved to handle macro
    viruses, which were a huge issue at one point.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Steffen Kluge: "Re: [fw-wiz] Sun/Solaris Checkpoint FW-1 Question"