Re: [Full-Disclosure] Sidewinder G2

From: Michael Gale (michael_at_bluesuperman.com)
Date: 11/20/03

  • Next message: Nick FitzGerald: "Re: [Full-Disclosure] .hta virus analysys"
    To: full-disclosure@lists.netsys.com
    Date: Thu, 20 Nov 2003 11:33:42 -0700
    
    

    So how about High Availability ?

    I have recently setup two slackware linux based firewalls with some
    nice iptables setup with lids (linux intrusion detection system) which
    locks down the kernel and makes the file system not writable :)

    Each firewall I setup High Availability (www.linux-ha.org) so if one
    machine is down (non-responsive) the other one will take over.

    Also to help in the prevention of DOS attacks --- what about syn
    cookies ?

    Michael.

    On Thu, 20 Nov 2003 12:10:27 -0500
    Shawn McMahon <smcmahon@eiv.com> wrote:

    > Schmehl, Paul L wrote:
    > >
    > > Maybe your network policy states that, but I would prefer for single
    > > point of failure devices to fail open, rather than closed. For us,
    > > network availability is a higher priority than protection is. If
    > > the firewall fails, I don't want the entire network down while we're
    > > waiting for a vendor to fix it. I'd be surprised if most networks
    > > aren't that way.
    >
    > The problem with this, as I'm sure you know (but it bears repeating
    > for the peanut gallery) is that it turns any DoS on your firewall into
    > an instant security hole. That escalates the severity of DoS bugs on
    > the firewall, which greatly increases the need to upgrade it when
    > they're found, which can increase your downtime.
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Nick FitzGerald: "Re: [Full-Disclosure] .hta virus analysys"