> > This Hannah product looks like what I've been looking for. It puts
> > "network security" where it belongs...on the nodes. I liken this
> > to putting locks on building doors rather than gates across
> > heavily traveled roads. Then the communications infrastructure
> > can be upgraded and used as intended...as a communications highway.
> > Problems with firewall throughput go away.
> > Is anyone else excited about this product or am I missing something?
> I'm not familiar with this particular product. That said, I'd like to
> address a couple of point that you make about it.
> First, there's the possibility that people will not use the product, or
> that their product will not fit all type, styles, and rev levels of
> computer on your network. Once one of the systems on your network is
> compromised it becomes a safe staging area for attacks on the rest of
> your network. Which leads us to ...
Policy should take care of what people use. If policy is ignored, then
you won't have much security no matter what you do. The product is
limited to winsock, hpux, and SCO right now but good products have a
habit of being rapidly ported. If the critical systems are protected
individually, its less disasterous if a non-critical system gets
compromised. This isn't true of a "soft chewy center".
> Second, the whole reason people put the soft chewy center in the middle
> of a very hard shell is so there is a single access point to be
> administered. It's one thing to get a good security person to
> manage/monitor the firewall through which all traffic flows. It's
> another thing altogether (usually thought impossible in any sizeable
> installation) to try and have many administrators adequately secure their
Hannah is centrally administered although you have to install the
product on all the platforms. So there is a central security
administrator. Software distribution, installation, and configuration
managment mechanisms and policies need to exist for network/node
management anyway, so the addition of one more product shouldn't
negate the overall concept.