Background:
We have several projects being planned as separate WANs
interconnecting lots (>20 near-term) of different insitutions and
practices (with hundreds of sites planned long-term). These are
being independently developed and are calling for a bunch of
different protocol suites, OS's, and WAN technologies connecting
through our planned (strong) firewall perimeter and into our core
network. All of this data is for health care and pretty
confidential.
We will be running IP through the firewall, Banyan Vines is planned,
SNA and Novell and NetBIOS have been requested, and I wouldn't be
surprised if someone wants AppleTalk and whatever Microsoft is
backing for Windows for Workgroups (and NT). Since we can't route
everything we'll be bridging too. Also Vines, Novell, and AppleTalk
do/can have both IP and SNA traffic tunnelled through them.
Questions:
-Can a multi-protocol firewall realisticly be built and secured?
-Is this a good idea?
-Is anyone else doing this?
-Are there any firewall products or kits available for protocols
other than IP?
-Can bridged traffic meaningfully be secured through a firewall?
-Are these proprietary protocols secure and/or well documented?
-Are there any studies/proofs of the security/insecurity of these
protocols?
-How do I refute vendor claims that their proprietary protocols are
so secure they don't need a firewall (or are they right)?
-What are the risks of doing all of this when some of the protocols
aren't completely understood by the staff who has to run this?
-Does it make sense to spend a lot of effort building a solid
IP-only firewall if there are these other backdoor protocols?
Personally, I don't think this is a good idea. But since there's a
lot of political weight behind these projects, the burden is on me
to prove any problems (there are outside technical people promoting
this). Any documentation, references, or other evidence would be very
appreciated.
I would be happy to submit a summary document to the GreatCircle
archives (as long as I can assemble meaningful answers).
Thank you,
-Scott R. Corzine-
New England Medical Center
<scott @
nemc .
org>
|
|
