Re: Firewall advice required please
From: Benjamin M.A. Robson (ben@robson.ph)Date: 07/08/02
- Next message: Eirik Seim: "Re: Is stealth redundant?"
- Previous message: Victoria Spelling: "Firewall input output on the same physical network - will this work!"
- In reply to: G: "Re: Firewall advice required please"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Benjamin M.A. Robson" <ben@robson.ph> Date: Mon, 08 Jul 2002 16:13:14 GMT
OK.. I may be missing something critical here, so please do enlighten me....
1./ How does an in-route device (i.e. a device in line with the flow of
traffic), that is not the terminating point, inspect ENCRYPTED traffic?
Certainly you can check that the packets are traveling to/from specified
end-points, but unless you have a HUGE processing capability how do you
justify saying you can inspect the encrypted payload? I am VERY
interested in this statement.
*note to reader - A poor answer to this question will indicate marketing
FUD*
2./ How do you provide "SECURE" access without a VPN? Are you
suggesting you are achieving as-good-as security using a standard SSL,
encrypted link, compared to, say, an AES, or Blowfish, or CAST, or IDEA
encrypted channel, using a decent keying system, with digital
certificates (or even good/long shared secrets)?
If the answer is the use of a JAVA interface, doesn't this mean you need
to provide a web server somewhere to serve the JAVA code (which
by-the-way is limited by the JAVA security model to a client talking to
the providing server). So if a web server is provided, is that
proprietary, is it opensource, open for review? How open to the public
is this device? Why do you run a service (open to external access) on
your perimiter security appliance? Doesn't this provide an attack vector?
Thankyou for the response, I am very interested in the answers.
Regards,
Ben
G wrote:
> Darren,
>
> You may want to re-think this... I would seriously consider an air-gap
> solution. This is the next generation gateway. It provides a secure frontend
> by virtue of an air-gap...you could offer secure access from any web browser
> without a VPN. I know this sounds strange, but I am a security professional
> and air-gap is the only product we carry. Let me outline a few features that
> no other firewall can touch.
>
> 1. Air-gap technology can inspect encrypted traffic
>
> 2. Provide secure access without a VPN from any web browser (this greatly
> reduces helpdesk costs in supporting VPN clients) 3. Acts as certificate
> server, authentication, SSL engine 4. Upgrades and patches to the backend
> can be performed as part of regular maintenance.
>
> Basically the Air-gap switch gives you a physical disconnection, yet
> allowing real time throughput at 100mbs This has been used as a military
> grade firewall in Israel. Easy to administer by virtue of a learning tool.
> But best of all, it scales easily. Take a look at our website
> www.infinitegenesys.com and look for Whale Communications in our product
> section. I have been a security consultant for almost 10yrs and I can tell
> you that all firewalls (with the exception of air gap) are pretty much
> alike. Different interfaces, proxy or not etc... Let me know if you'd like
> to know more Sincerely, George Gebhardt
>
> "Whoever" <Whoever@wherever.com> wrote in message
> news:3d15d404_6@nopics.sjc...
>
>>Check into the Nokia appliances running FW-1/VPN-1. They're simple to
>>setup, easy to administer/monitor, and solid. Get out your checkbook.
>>
>>"Darren Robertson" <darren@orcsoftware.com> wrote in message
>>news:zknQ8.3405$t4.8317@nntpserver.swip.net...
>>
>>>All.
>>>
>>>I've read through some of the archives on this ng and some of the
>>
> previous
>
>>>posts are pertinent to my requirements but I would appreciate some more
>>>advice particular to my environment.
>>>
>>>HISTORY
>>>
>>>Our head office is relocating and have decided that they are not taking
>>
>>the
>>
>>>leased lines with them. This means that we have to go down a VPN route
>>
> and
>
>>>put ourselves behind our own firewall rather than taking shelter behind
>>
>>our
>>
>>>central one.
>>>
>>>FUTURE
>>>
>>>We are looking at implementing a 2Mbps Dedicated leased line.
>>>
>>>REQUIREMENTS
>>>
>>>Has to be capable of supporting VPN and +48 simultaneous connections.
>>
> Our
>
>>>initial thoughts were to go with Cisco 515E despite the fact that none
>>
> of
>
>>>are particularly big fans of them. However some of the reviews I have
>>
> read
>
>>>have panned the aforementioned Cisco. We would prefer something on
>>
> Solaris
>
>>>as that is what we know and would prefer to stay away from NT.
>>>
>>>Any advice would be greatly appreciated. I'm searching on the web for
>>>anything that may be suitable.
>>>
>>>Thanks in advance for your assistance.
>>>
>>>D.
>>>
>>>--
>>>__________
>>>Darren Robertson
>>>Technical Support
>>>ORC Software
>>>__________
>>>Tel: +44 (0)20 7942 0999
>>>Fax: +44 (0)20 7942 0940
>>>www.orcsoftware.com
>>>__________
>>>Orc Software e-mail Disclaimer.
>>>If you have received this e-mail in error or wish to read our e-mail
>>>disclaimer statement and monitoring policy, please refer to
>>>http://www.orcsoftware.com/disclaimer or contact the sender.
>>>
>>>
>>>
>>>---
>>>Outgoing mail is certified Virus Free.
>>>Checked by AVG anti-virus system (http://www.grisoft.com).
>>>Version: 6.0.365 / Virus Database: 202 - Release Date: 24/05/2002
>>>
>>>
>>
>>
>
>
- Next message: Eirik Seim: "Re: Is stealth redundant?"
- Previous message: Victoria Spelling: "Firewall input output on the same physical network - will this work!"
- In reply to: G: "Re: Firewall advice required please"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
