>First, I appreciate the fact that you took time to mention "Blackhole"
>and share your experience. The above recommendation, however, is lacking
>a number of technical pieces to support it.
Mea culpa. I just signed on to this list and am (was) not aware of the
flavour or expectations.
>What makes you think that their transparency method allows total protection?
> What is YOUR definition of total protection? What exactly IS this method
>and how do they implement it? What do you mean by good stats? Rejected
>attacks? How well have you tested the various security policies that this
>firewall is supposedly enforcing?
Okay, let me give a description of how BlackHole works:
- based on TCP routing principle which requires all IP packets between
Internet and the protected network to pass through BlackHole.
- BH's operating system kernel is modified to disable all IP forwarding,
source routing, and IP redirecting functions (ie no ICMP redirecting).
- monitors all inbound and outbound traffic and authorizes access based on
what the administrator has specifically allowed via the maintenance of a
table. By default, nothing comes in or out until the file is configured for
the desired effect.
Transparency (which is what I originally wanted to illuminate):
- Once BH receives a packet requesting a connection, it will attempt to start
a session to the target machine on behalf of the internal host. Once
connected, BH will relay all packets between the private and the target
hosts. Both hosts 'believe' they are communicating directly, but in reality,
BH authenticates and passes traffic between them.
- internal users need not connect to a proxy server, then from there manually
start another session to the target - as is the case with the other firewalls
I looked at. BH allows for seamless connections. The end user sees no
difference, and more importantly, Windows clients such as FTP and Telnet are
not adversely affected by a two-step process. Seamless and transparent.
- "advanced" applications such as Mosaic are not inhibited - due to
transparency. With some other firewalls, sys admins will need to get the
httpd proxy and slap it on. What about future applications? Will you
continually have to wait until someone on the net writes a proxy? Will it be
safe? These issues are of no concern with BlackHole, due to transparency.
- I have used the logfiles to not only show access denials, but also usage of
Internet clients internally (FTP, Gopher, Telnet, Mosaic) as well as incoming
and outgoing mail. There are stats for the entire centre as well as for
individual users. We can see who the top WWW users are, who receives the most
Internet mail, etc. These stats can be very useful for making a case to
management. For example, I graphed usage of Gopher and WWW by our staff. By
showing that the WWW usage was increasing and the gopher usage levelling off,
I was able to convince management that we need to provide a WWW server for
dissemination, in addition to the gopher server we have now (based on the
assumption that if our own staff is leaning toward WWW, so might the rest of
What I would humbly suggest is that if non-techie management types who are
listening want to try it out, they should not simply believe Kevin McCann and
instantly issue a purchase order. Rather, they should ask for an evaluation
term and commission a technical person to test the yingyang out of it (as I
Regards (and thanks for your point well made, Jeff),