> design. Now with more technology, like stateful packet filtering, dynamic
> "proxying" (like PIX), many of the proto-typical designs don't quite fit
> anymore. (Note: that does *not* make the proto-type invalid - just that
I'd argue that they add additional weapons to our arsenal of devices from
which we can choose to implement our policies.
> the need is there to reconsider new proto-types). Proxies are still
> important as are packet filtering devices, but how do these new devices
I think that it is a function of what you are using proxies for. If you
were using proxies merely to prevent direct access from machine X to the
internet and vice versa and/or to allow you to use the unrouted nets (e.g.
10/8) then yes, I'd 100% agree that the above change the equation as they
make implementation much easier and more transparent on the desktop end of
things.
> change the equation? Can the use of "stealth" firewalls (like PIX or
> quiet "pass-through-only" multi-homed firewall) change the need for the
> dual router config??
well, since the devices are effectively provide a good deal
of router functionality -- a superset of what most exterior
routers provide, i would argue "yes" you could replace a router
with one of those beasties -- provided that it has the throughput
that you want. Lets look at an insane case:
OC48 -- _BIG_ router --- herd of protocal firewalls -- inside
with something that easily can punch one f/w out, i'd want more, hence the
need for additional routers. likewise, we'd have to special case it in
terms of r --- f/w --- r as a function of my internal topology and what
access controls i want on what network.
>
> I think that perhaps a good discussion here would be what new proto-types
> these new firewall devices offer - how does stateful-packet filtering
> change the need for dual routers - how can proxies be used more
> effectively (and in ways that reduce the latency, overhead, and
> frustration that some users encounter in trying to use them.....), and
> how can we back up to a conceptual design that sets goals of the firewall
> design. I'd like to hear some unique designs that use these devices that
> thereby can offer some levels of security that routers and bastion hosts
> can not - while also allowing an enhanced range of services. These are
> new devices that can *potentially* offer great advantages for us firewall
> builders....how can we use them most effectively??
yes, i would be interested in seeing what *new* things we can come
up with now that we have some shiny new toys.
-- craig
-------------------------------------------------------------------------------
Craig I. Hagan "It's a small world, but I wouldn't want to back it up"
hagan @
cih .
com "True hackers don't die, their ttl expires"
References:
-
Re: Cisco PIX
From: "Daniel J Blander - Sr. Systems Engineer for ACS" <Daniel .
Blander @
ACSacs .
Com>
|
|
