Firewall Wizards mailing list archives
RE: Sliding/Shifting/Morphing firewalls
From: "Stout, Bill" <StoutB () pioneer-standard com>
Date: Fri, 12 Feb 1999 15:01:00 -0500
----- Original Message ----- From: Stephen P. Berry [SMTP:spb () meshuga incyte com]
<snip>
Ds of S. originating from the dreaded Internet, that is. If all the RAIFset pops are in the same geographic area you're still going to be pretty vulnerable to the ol' utilities company backhoe D.O.S.
Which is why the links should be redundant. This could be a problem with some underdeveloped regions (both CONUS and foreign) where the LEC is a monopoly, or there are no landlines. <snip>
be done over parallel and redundant paths over public, public/private, or
<snip>
Presuming the evildoer(s) aren't privy to the constituent addresses of your RAIFset. Launching a D.O.S. against a half dozen addresses isn't markedly more difficult than launching a D.O.S. against one. I suppose you could add the additional abstraction layer of having a RAIBRset (a RAID set of border routers), each pointing to a different upstream provider, for every firewall in your RAIFset...but that's just adding additional -complexity- to the problem of launching a successful D.O.S., rather than adding additional -difficulty- (if you understand the distinction).
Makes me wonder how to DOS a group of IP addresses... You can't DOS an interface if it's a dedicated transmitter, since it won't listen to you... (uh-oh, new ideas are sparked) For this case I'm equating the Internet with radio airspace, since both are communications mediums accessible and abuseable by 'anyone'. Since it's trivial to jam a single frequency, spread-spectrum techniques were designed to counter such jamming (and help hide the link). In fact, with military satellites, jamming attempts (noise) helps the receiver focus on a band. Using a group of IP addresses and spanning a large range of port numbers could be used to duplicate the theory of SS. <snip>
control. When you're investigating problems, you will invariably discover that those bits not under your control are in fact adminstered by groups of uberlusers who possess diagnostic skills roughly on a par with a troop of mildly concussed tarsiers. If you're relying on
What? Tarsiers? [then Altavista replies http://primates.com/tarsier.htm] Oh, I get it. I've always used the term 'mouth-breather'.
them for high availability bandwidth or, heavens forfend, security, you're going to get chumped.
Chimped? ;)
'Course the RAIFset would have to be coded with a daily key for the
random
but predictable pattern of addresses:ports used to create an aggregated trunk.In terms of bandwidth, the best method would probably be to use a PRNG with a reasonably long period. Set the seed during the initial setup of the constituent firewalls in the RAIFsets, and then exchange a new seed at some pre-defined interval (some wee bit less than your PRNG's period).
Right now I sure wish I could write code. My thoughts would then be worth more than a whisper from the bottom of aforementioned troop member.
You could also pass the next (and perhaps prior) port(-s) and address(-es) in the header of each packet, although this would pragmatically mean turning your RAIFset into a defragmenting router unless you had some mechanism for insuring a fixed latency across any possible data paths. Retransmits---presumably only neccessary if you lose both a data packet and a parity packet---would also be a bitch.
Unfortunately this (and other required functions) means the RAIFset would need to be front-ended with something knowledgeable about the conversation. Internally something that looks like a single interface would need to exist. Akin to a RAID controller, a RAIF controller (possibly redundant) would proxy, do VPN/PKI magic if destination is another RAIFset, and delegate data/parity packets to the apropriate RAIF members, themselves doing PRNG IPaddress/port-dancing magic with their remote RAIF member partner. This whole exersize of free-association thinking then brings me back to my original question of what benefit port-shifting would have. Bill Stout
Current thread:
- Re: Sliding/Shifting/Morphing firewalls, (continued)
- Re: Sliding/Shifting/Morphing firewalls Stephen P. Berry (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls Safier, Adam (GEIS) (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls cbrenton (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls Stout, Bill (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls Stout, Bill (Feb 11)
- Re: Sliding/Shifting/Morphing firewalls Stephen P. Berry (Feb 11)
- Re: Sliding/Shifting/Morphing firewalls Joseph S D Yao (Feb 12)
- Re: Sliding/Shifting/Morphing firewalls Stephen P. Berry (Feb 11)
- Re: Sliding/Shifting/Morphing firewalls montenegro (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls Safier, Adam (GEIS) (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls ark (Feb 12)
- RE: Sliding/Shifting/Morphing firewalls Stout, Bill (Feb 12)