Firewall Wizards mailing list archives
Re: Firewalls Compared
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 22 Jun 2004 17:43:18 -0400 (EDT)
On Wed, 23 Jun 2004, Devdas Bhagat wrote:
Thinking about it a bit more, I guess that what I am saying is that people who actually follow BCP are collateral damage. *That* is not appreciated.`
Sure, the same was true of the phone system before OOB signaling became common- though abuse wasn't quite so widespread.
Sure, but if you have end-to-end QoS, you can potentially allow things per-flow once you move control out of band. QoS allows you to do thingsOne packet establishes a flow? The router in the middle dies.
The RADB stuff has been pretty good for tracking DDoS stuff, and I think is a good groundwork for further out of band control- most times you don't transit more than 5 networks to get to an endpoint, the real question is can we scale the flow stuff, and if so where? Maybe per-destination AS in aggregate would work... Don't get me wrong, we're not there- but I think we have most of the groundwork in bits and pieces, we just need to either swap out or fix layer 2 (swapping for something like DWDM would be nice, with control channel signaling somewhere in the mix, but I think we can get by without it.)
like allow a routing arbiter to get through, or evenauthentication/authorization traffic like the tagged packet "marker dye" stuff.Yeah. But that doesn't let the user work.
Hrm, I thought the marker dye stuff worked pretty well, and it definitely doesn't impact the users one bit, since it's out of band origin information. I fact, I think it's one of the more novel things Cisco's tried.
It could if you did QoS on the switch- you just have to be able to policy QoS out to the leaf nodes, where the bandwidth matters. More integratedAgain, we are speaking of home users on broadband. What switch?
In that case, the leaf node for their provider, furthest downstream is preferable.
I agree with your point. I pointed out one more solution. Though a Linux box with OS and apps in ROM would be interesting.
If it's upgradeable, it's likely to be abusable though...
<snip>In my experience, it's been more ignorace that they *could* set the firewall up that way or lack of power to set it up that way.Different locations, different perspectives :). The cost of the system is a very large factor in influencing firewall purchases.
I suppose in some places that's an issue, cheap boxes here have changed the equation for getting a firewall, they just haven't changed the equation for actually configuring one well...
From a strategic perspective, I'm much more worried about bad actors and
intruders than worms, I see worms as tactical, Exec-shield, NX, and other things will evolve to handle them, just as AV evolved to handle macro viruses, which were a huge issue at one point. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls Compared kashif (Jun 21)
- Re: Firewalls Compared Paul D. Robertson (Jun 21)
- Re: Firewalls Compared Gwendolynn ferch Elydyr (Jun 21)
- Re: Firewalls Compared Dave Piscitello (Jun 21)
- Re: Firewalls Compared Ryan M. Ferris (Jun 22)
- Re: Firewalls Compared Paul D. Robertson (Jun 22)
- Re: Firewalls Compared Devdas Bhagat (Jun 22)
- Re: Firewalls Compared Paul D. Robertson (Jun 22)
- Re: Firewalls Compared Devdas Bhagat (Jun 22)
- Re: Firewalls Compared Paul D. Robertson (Jun 23)
- Re: Firewalls Compared Paul D. Robertson (Jun 21)
- RE: Firewalls Compared Laura Taylor (Jun 26)
- Re: Firewalls Compared ArkanoiD (Jun 28)
- RE: Firewalls Compared Laura Taylor (Jun 28)
- Re: Firewalls Compared Marcus J. Ranum (Jun 28)
- RE: Firewalls Compared Eugene Kuznetsov (Jun 29)
- RE: Firewalls Compared Ben Nagy (Jun 30)
- Re: Firewalls Compared Devdas Bhagat (Jun 30)
- Re: Firewalls Compared Crispin Cowan (Jun 30)
- Message not available
- Re: Firewalls Compared ArkanoiD (Jun 29)
- Message not available
- Re: Firewalls Compared Dave Piscitello (Jun 24)