Re: Firewalls Compared

["Paul D. Robertson" <paul () compuwar net>]

On Wed, 23 Jun 2004, Devdas Bhagat wrote:

> Thinking about it a bit more, I guess that what I am saying is that
> people who actually follow BCP are collateral damage. *That* is not
> appreciated.`

Sure, the same was true of the phone system before OOB signaling became
common- though abuse wasn't quite so widespread.

> > Sure, but if you have end-to-end QoS, you can potentially allow things
> > per-flow once you move control out of band.  QoS allows you to do things
> One packet establishes a flow? The router in the middle dies.

The RADB stuff has been pretty good for tracking DDoS stuff, and I think
is a good groundwork for further out of band control- most times you don't
transit more than 5 networks to get to an endpoint, the real question is
can we scale the flow stuff, and if so where?  Maybe per-destination AS in
aggregate would work...  Don't get me wrong, we're not there- but I think
we have most of the groundwork in bits and pieces, we just need to either
swap out or fix layer 2 (swapping for something like DWDM would be nice,
with control channel signaling somewhere in the mix, but I think we can
get by without it.)

> > > like allow a routing arbiter to get through, or even
> > authentication/authorization traffic like the tagged packet "marker dye"
> > stuff.
> Yeah. But that doesn't let the user work.

Hrm, I thought the marker dye stuff worked pretty well, and it definitely
doesn't impact the users one bit, since it's out of band origin
information.  I fact, I think it's one of the more novel things Cisco's
tried.

> > It could if you did QoS on the switch- you just have to be able to policy
> > QoS out to the leaf nodes, where the bandwidth matters.  More integrated
> Again, we are speaking of home users on broadband. What switch?

In that case, the leaf node for their provider, furthest downstream is
preferable.

> I agree with your point. I pointed out one more solution.
> Though a Linux box with OS and apps in ROM would be interesting.

If it's upgradeable, it's likely to be abusable though...

> <snip>
> > In my experience, it's been more ignorace that they *could* set the
> > firewall up that way or lack of power to set it up that way.
> Different locations, different perspectives :).
> The cost of the system is a very large factor in influencing firewall
> purchases.

I suppose in some places that's an issue, cheap boxes here have changed
the equation for getting a firewall, they just haven't changed the
equation for actually configuring one well...

> From a strategic perspective, I'm much more worried about bad actors and
intruders than worms, I see worms as tactical, Exec-shield, NX, and other
things will evolve to handle them, just as AV evolved to handle macro
viruses, which were a huge issue at one point.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards