Firewalls: Re: Firewalls: NT versus UNIX

Firewalls
(March 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Firewalls: NT versus UNIX
From:	C Matthew Curtin <cmcurtin @ gatekeeper . cb . att . com>
Date:	Mon, 11 Mar 1996 23:11:59 -0500
To:	Jay Tingiris <jtingiris @ gw . paradyne . com>
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<s144828a . 089 @ gw . paradyne . com>
References:	<s144828a . 089 @ gw . paradyne . com>
Reply-to:	cmcurtin @ gatekeeper . cb . att . com

>>>>> "Jay" == Jay Tingiris <jtingiris @
 gw .
 paradyne .
 com> writes:

Jay> Low Cost Firewall: $2,000 US (hardware/software included)

Jay> Supported Services: 
Jay> 1) TCP/IP filtering mechanism that allows for
Jay> priority queuing 
Jay> 2) HTTP caching proxy support (internal and
Jay> external) 
Jay> 3) FTP caching proxy support (internal and external)
Jay> 4) GOPHER caching proxy support (internal and external) 
Jay> 5) Telnet proxy support (internal and external) 
Jay> 6) SMTP secured mail transport mechanism (inbound and outbound) 
Jay> 7) DNS Server Capability (forwarding, caching, and secondary
Jay> support)
Jay> 8) HTTP Server Support for External/Internal WWW pages 
Jay> 9) MBONE tunnel Jay> endpoint (secure internal broadcast) 
Jay> 10) IRC Client and Server support (internal and external) 
Jay> 11) WAIS caching proxy support (internal and external) 
Jay> 12) POP mail support 
Jay> 13) Automatic Status reports and cache management features.  
Jay> 14) ALL ON THE SAME MACHINE!

I would consider putting all of these things on the same machine to be
-at best- an unwise move.

Perhaps the biggest problem here is that you've got a single machine
upon which you become critically dependant, and that machine is a
single point of failure. From a security standpoint, as well as a
functionality standpoint. If someone launches a denial of service
attack against your web server, it can take out your mail relay,
too. And DNS, and proxy caching server, etc... you get the idea.

Further, you've complicated setup, because now you need to make sure
that everything is working together, which may or may not be a big
deal. But it is a more complicated configuration to have to rebuild if
the machine catches on fire...

I fear that we're going to start seeing lots of these silly machines
start coming up ... everything in one. A bad idea for security, a bad
idea for service ... but they, like so many other dumb things that
people with money claim to "need," will probably become successful
products from the perspective of marketing and profitability. Sigh.

--
C Matthew Curtin               [AT&T|Bell] Labs               Internet Posse
http://www.att.com/homes/matt_curtin.html PGP OK cmcurtin @
 gatekeeper .
 att .
 com

References:

Firewalls: NT versus UNIX
From: Jay Tingiris <jtingiris @ gw . paradyne . com>

Indexed By Date	Previous:	Re: books on security policies From: John Bell <job @ hprofsdv . nwscc . sea06 . navy . mil>
Indexed By Date	Next:	socks4 From: nkeenan @ gsionline . com (Mr. Nick Keenan)
Indexed By Thread	Previous:	Re: Firewalls: NT versus UNIX From: Michael Dillon <michael @ memra . com>
Indexed By Thread	Next:	Re: Firewalls: NT versus UNIX From: Wayne Gifford <giff @ incog . com>