Firewall Wizards mailing list archives

Re: non-IP firewalls

From: "Marcus J. Ranum" <mjr () nfr net>
Date: Fri, 01 May 1998 11:48:25 -0400

Bernhard Schneck wrote:

There's a package called Firewall/Plus which claims to be able to
filter lots of different protocols (I think they claimed about 600),
includung IPX, SNA and others.


It's a generic filtering engine that can be programmed to
"understand" various packets and data formats and firewall
them. Pretty slick stuff.

From what I read about it, it seems to be a packet filter starting

at the MAC layer and working it's way up through the ethernet frame.


Correct. One interesting thing about it is that it can act
like a bridge, rather than a router (as most IP firewalls do).
Since it's handling potentially non-routed protocols, I guess
that's the only way to do it.

I've never used or evaluated it yet, though.  If someone (independent
from the vendor, with a reputable name in the field :-) has, I'd sure
like to hear about her/his results.


I did some testing of one in 1995, back when it was a DOS program
rather than an NT application. This was part of a design review
I did for hire by the folks at Network-1. Basically, they asked me
to pound on their product and suggest ways to improve on it. There
was a lot to like about the firewall and fairly little to dislike.
I think the reason we don't see more of them is lack of effective
marketing and the fact that they were a late entry into the market.
Their NT version was late, too, so they never got sufficient
attention.

Things I liked/didn't like: (This is based on a 4 year old eval)
Liked: The fact that it acts like a bridge not a router. It's hard
        to launch attacks against something that doesn't admit it's
        there.
Didn't like: At that time there was no way to manage it remotely. I
        do not know if this has changed.
Liked: User interface was very powerful for a person who knows networking
Didn't like: User interface was too complex for a person who does not
        know networking
Loved: Comes with template policies that can be applied: "extremely
        restrictive security"  "permissive outgoing security" etc.
Liked: The one I looked at ran on DOS: this took guts. It probably
        hurt them terribly in the market.

Definitely a product worth taking a look at. Make your own decision.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Current thread:

Re: non-IP firewalls Chris Brenton (May 01)
- Re: non-IP firewalls David Phelan (May 07)
- <Possible follow-ups>
- Re: non-IP firewalls Bennett Todd (May 01)
- Re: non-IP firewalls Bernhard Schneck (May 01)
  - Re: non-IP firewalls Marcus J. Ranum (May 01)
  - Re: non-IP firewalls Mark Plesser (May 01)
- RE: non-IP firewalls Stout, William (May 01)