RE: Time for a new FWTK?

["Stout, William" <StoutW () pios com>]

> ----- Original Message -----
> From: Marcus J. Ranum [SMTP:mjr () nfr net]
>
> chuck yerkes wrote:
> > Hey, Marcus, want to do the FWTK/DEC SEAL stuff AGAIN under GPL or
> > the BSD license?  Call it MRTK4FW (you figure it out) and get your
> > net-immortality.  I'll buy coffee....
>
> I'm pretty much done with firewalls. :) The problem is that I
> don't know *HOW* to build the next generation of firewalls,
> and I don't want to build another of the previous generation.
> "been there, done that" repeatedly...

Actually you're in a perfect position to do that.  The next step up for
Wheelgroups' IDS system was to dynamically adjust the filter rules in a
firewall (NGC Borderguard/NetSentry).  You can control a group of
firewalls with an IDS 'non-proprietary standard' and NFR.  

Gee, if corporate has an IDS system, and you can figure a way to control
firewalls that way, you can then implement corporate dictatorship over
departmental firewalls.  Maybe even delegate or offload a subset of
control to the departmental admins.

Hmm, that would do some fine-detail of control.  Protocol and
application control on a per departmental basis.  Security by
compartmentalization, aka 'zoning'.

A corporation would have a semi-open DMZ 'backbone'.  This would put an
IS group into the ISP and 'service provider'-server (SQL, App, etc)
business for the corporation.  Departments could buy their own
firewalls, and corporate can dictate that a firewall must be used for
backbone/internet access, and that firewalls meet the NFR standard for
centralized control and IDS.

Another thought.  AFA 'expert analysis', that can be put in a central
box, and the departmental firewalls could in effect, ask the dictator
box, "Is this O.K. to pass?".  Client/server distributed firewall
architechture.  NC firewalls.  Other proxy people responsible for 'suck
brain-damaged protocols'.

Bill Stout