Re: CyberInsecurity: The cost of Monopoly

[Florian Weimer <fw () deneb enyo de>]

On Sun, Sep 28, 2003 at 08:04:58PM +0200, Michal Zalewski wrote:

> I'd argue... many vendors (Okena aka Cisco, BlackICE aka ISS, etc)
> provide integrated corporation-wide mechanisms for enforcing group
> firewalling, access and logging/IDS policies on workstations or groups of
> workstations (and, why not, also servers).

I've looked at one or two such products, and if you leave some
technological issues aside (I don't like it when both the original
vendor and an ISV tamper with the TCP/IP stack, this could have unwanted
consequences), they were rather nice, except for the prohibitive
licensing model and the limited applicable in heterogenous networks
(i.e. more than just Windows 2000 and XP, and maybe Red Hat).

It seems to me that this technology is not universally suited for
pampering over administrative problems.  For recovery purposes, I'd
rather have control over the network traffic after it has left the host,
so that it's easy to trace it back to the source and null route it.

> There are some ridiculously expensive "firewall switches" that are
> IP-aware and enable per-port separation and firewalling...

You can do this with any 802.1q-capable switch and a PC as a router.
Peak performance sucks, but that's typically not a problem.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html