Firewall Wizards mailing list archives
Re: Network appliance
From: Bennett Todd <bet () rahul net>
Date: Fri, 10 Oct 1997 07:05:11 -0700
Mark Teicher wrote:
What do you mean by a network appliance?A box that has only one function, and that is separate from other services (i.e. web, ftp, mail).
Up to a point that sounds like a nice idea; certainly, I wouldn't put web servers or ftp servers on the firewall, they'd live on special-purpose dedicated machines in the DMZ, since their role isn't specific to moving data between the inside and the outside --- they're just outside servers that can be accessed, like any other public servers, through the firewall. Mail on the other hand is specific to going through the firewall, and so the firewall has to be passing it through somehow; if it isn't doing related chores like header rewriting (to hide the inside network config) and examining headers for bug exploits intended to burgle sendwhales inside the firewall, then you will need to implement that functionality somewhere else anyway; moving that off the firewall just adds more complexity to your security perimeter.
Some of the emerging companies have developed small efficient and cost effective appliances. Cisco Centri, AbiiGuard, etc.
Perhaps I don't know what kind of doodad you're talking about. A 2500-series Cisco can do the filtering router trick, with a pretty darned robust IP stack and router implementation and downloadable rules. For the rest of the picture --- content filtering, mail header rewriting, that sort of thing --- I haven't seen anything easier to configure and maintain, or cheaper, than an old PC with your basic free firewall stuff on it.
There is a company in northern CA that makes something better than a CISCO 2501, with downloadable filter sets and is setup to allow for secure remote computing.
Could be. A little Cisco has downloadable filter sets. As for secure remote computing, that requires a secure remote trusted computing base to do right (you gotta have session crypto) and once you've got that ssh is your friend. If you want plain-text (unencrypted) remote computing with one-time authenticators that's easy too; S/Key works fine for that setting, and so do the hardware tokens if you prefer that sort of thing. I'm still failing to see the hole that this appliance fills in the available lineup. -Bennett
Current thread:
- Re: Network appliance Bennett Todd (Oct 10)