RE: stealth firewalls

["Don Flanagan" <dflanagan () bytex com>]

Hardware-based security devices are better able to keep pace with increasing
bandwidth. The current Bytex firewall, for example, is a "stealth" or
"bump-in-the-wire" hardware device. Our next-generation product can also be
a stealth device, or it can combine packet filtering with one or more
complementary applications (e.g., VPN, intrusion detection, network
monitoring) that require IP addressability. The crucial point for us is that
all of the functions be performed on the same board--with high-speed
customized media interfaces, specialized network processors, an embedded OS,
and optimized firmware (whether it is tricky or not I will leave to others
to decide). This is in contrast to appliances that use standard NICs, a
generic processor and OS, and custom application software riding on top.
They are cheaper, but they don't deliver the performance needed in gigabit
environments.

Don Flanagan
Bytex Corp.
www.bytex.com


-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of ark () eltex ru
Sent: Thursday, January 17, 2002 4:08 PM
To: Nate Campi
Cc: Irwin Lazar; 'firewall-wizards () nfr com'
Subject: Re: [fw-wiz] stealth firewalls


The word "firewall" becomes somehow confusing when used in this context.

Actually there are two different tasks and two different classes of devices
that have some similarities but the approach and implementation is
completely different:

"firewalls" that implement simple filtering and basic DoS protection
for large networks and big servers. Those are usually hardware-accelerated
devices that have tricky optimized firmware inside. The main goal is
performance. You place those just behind your border router.

"firewalls" that implement in-depth data inspection, authentication and
access control. General-purpose Unix with some modifications and application
software fits the best. Those are not fast but smart - they are designed
this way. If you say "i have n*K workstations and my firewall cannot
handle the load" it probably means you have done everything wrong.
There should NOT be such a number of workstations homogenous from
security viewpoint. You probably need more firewalls each protecting
its own department network.

Let's not mix the two.

(i did not mention VPN devices often called firewalls too ;)

YOU (Nate Campi) WROTE:

>  Most firewalls hosted on general-purpose UNIX hosts can't handle the
>  large amounts of traffic that many of us would need to throw at it.
>
>  Recently my work needed syn-flood protection for a network where
>  outgoing traffic filled the two 100mbit uplinks, and only dedicated
>  devices could fill this niche. The one they use is uses the same
>  approach, essentially bridging the traffic.


--
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards