RE: Sliding/Shifting/Morphing firewalls

["Stout, Bill" <StoutB () pioneer-standard com>]

> ----- Original Message -----
> From: Stephen P. Berry [SMTP:spb () meshuga incyte com]
<snip>
> Ds of S. originating from the dreaded Internet, that is.  If all the
> RAIFset pops are in the same geographic area you're still going to
> be pretty vulnerable to the ol' utilities company backhoe D.O.S.
 
Which is why the links should be redundant.  This could be a problem with
some underdeveloped regions (both CONUS and foreign) where the LEC is a
monopoly, or there are no landlines.
 
<snip>
> > be done over parallel and redundant paths over public, public/private, or
<snip>
> Presuming the evildoer(s) aren't privy to the constituent addresses of
> your RAIFset.  Launching a D.O.S. against a half dozen addresses isn't
> markedly more difficult than launching a D.O.S. against one.  I suppose
> you could add the additional abstraction layer of having a RAIBRset
> (a RAID set of border routers), each pointing to a different upstream
> provider, for every firewall in your RAIFset...but that's just adding
> additional -complexity- to the problem of launching a successful D.O.S.,
> rather than adding additional -difficulty- (if you understand the
> distinction).

Makes me wonder how to DOS a group of IP addresses...  You can't DOS an
interface if it's a dedicated transmitter, since it won't listen to you...
(uh-oh, new ideas are sparked)

For this case I'm equating the Internet with radio airspace, since both are
communications mediums accessible and abuseable by 'anyone'.  Since it's
trivial to jam a single frequency, spread-spectrum techniques were designed
to counter such jamming (and help hide the link).  In fact, with military
satellites, jamming attempts (noise) helps the receiver focus on a band.
Using a group of IP addresses and spanning a large range of port numbers
could be used to duplicate the theory of SS.

<snip>
> control.  When you're investigating problems, you will invariably
> discover that those bits not under your control are in fact adminstered by
> groups of uberlusers who possess diagnostic skills roughly on a par
> with a troop of mildly concussed tarsiers.  If you're relying on

What? Tarsiers? [then Altavista replies http://primates.com/tarsier.htm]
Oh, I get it.  I've always used the term 'mouth-breather'.

> them for high availability bandwidth or, heavens forfend, security,
> you're going to get chumped.

Chimped?  ;)

> > 'Course the RAIFset would have to be coded with a daily key for the
random
> > but predictable pattern of addresses:ports used to create an aggregated
> > trunk.
>
> In terms of bandwidth, the best method would probably be to use a
> PRNG with a reasonably long period.  Set the seed during the
> initial setup of the constituent firewalls in the RAIFsets, and
> then exchange a new seed at some pre-defined interval (some wee bit
> less than your PRNG's period).

Right now I sure wish I could write code.  My thoughts would then be worth
more than a whisper from the bottom of aforementioned troop member.

> You could also pass the next (and perhaps prior) port(-s) and address(-es)
> in the header of each packet, although this would pragmatically
> mean turning your RAIFset into a defragmenting router unless you had
> some mechanism for insuring a fixed latency across any possible data
> paths.  Retransmits---presumably only neccessary if you lose both
> a data packet and a parity packet---would also be a bitch.
 
Unfortunately this (and other required functions) means the RAIFset would
need to be front-ended with something knowledgeable about the conversation.
Internally something that looks like a single interface would need to exist.
Akin to a RAID controller, a RAIF controller (possibly redundant) would
proxy, do VPN/PKI magic if destination is another RAIFset, and delegate
data/parity packets to the apropriate RAIF members, themselves doing PRNG
IPaddress/port-dancing magic with their remote RAIF member partner.  

This whole exersize of free-association thinking then brings me back to my
original question of what benefit port-shifting would have.

Bill Stout