Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Network appliance

From: Bennett Todd <bet () rahul net>
Date: Fri, 10 Oct 1997 07:05:11 -0700
Mark Teicher wrote:

What do you mean by a network appliance?


A box that has only one function, and that is separate from other services
(i.e. web, ftp, mail).


Up to a point that sounds like a nice idea; certainly, I wouldn't put web
servers or ftp servers on the firewall, they'd live on special-purpose
dedicated machines in the DMZ, since their role isn't specific to moving data
between the inside and the outside --- they're just outside servers that can
be accessed, like any other public servers, through the firewall. Mail on the
other hand is specific to going through the firewall, and so the firewall has
to be passing it through somehow; if it isn't doing related chores like header
rewriting (to hide the inside network config) and examining headers for bug
exploits intended to burgle sendwhales inside the firewall, then you will need
to implement that functionality somewhere else anyway; moving that off the
firewall just adds more complexity to your security perimeter.


Some of the emerging companies have developed small efficient and cost
effective appliances. Cisco Centri, AbiiGuard, etc.


Perhaps I don't know what kind of doodad you're talking about. A 2500-series
Cisco can do the filtering router trick, with a pretty darned robust IP stack
and router implementation and downloadable rules. For the rest of the picture
--- content filtering, mail header rewriting, that sort of thing --- I haven't
seen anything easier to configure and maintain, or cheaper, than an old PC
with your basic free firewall stuff on it.


There is a company in northern CA that makes something better than a CISCO
2501, with downloadable filter sets and is setup to allow for secure remote
computing.


Could be. A little Cisco has downloadable filter sets. As for secure remote
computing, that requires a secure remote trusted computing base to do
right (you gotta have session crypto) and once you've got that ssh is your
friend. If you want plain-text (unencrypted) remote computing with one-time
authenticators that's easy too; S/Key works fine for that setting, and so do
the hardware tokens if you prefer that sort of thing.

I'm still failing to see the hole that this appliance fills in the available
lineup.

-Bennett
Previous By Date Next
Previous By Thread Next

Current thread: