Great Circle Associates Firewalls
(November 1992)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: what shall thy firewall hardware be?
From: Richard Childers <rchilder @ us . oracle . com>
Date: Tue, 24 Nov 92 11:53:00 PST
To: Firewalls @ GreatCircle . COM

>From: Bill Wohler <wohler @
 sap-ag .
 de>
>Date: Mon, 23 Nov 1992 21:26:38 +0100
>Subject: what shall thy firewall hardware be?

				.
				.
				.
  just occurred to me that i might not be able to get two network
  interfaces in the hp 710.  if this is the case, what is the danger
  in setting up the router so that it only passes traffic from both
  the external and internal networks only to the gate?  is it better
  to get a gate that has two network interfaces?


I think it would be _much_ better to use two physically separate inter-
-faces. This anticipates the possibility of future methods of breakin
which might bypass the filtering mechanism on the router.

Consider the following possibility : a disgruntled employee writes a
trapdoor routine into the assembler code in the router's kernel, so that
he can reset the filtering mechanism(s), perhaps even without it being
logged. Because it's assembler, or Forth, it doesn't get noticed ...

Let's extrapolate a little further and say that this gets out into the
grapevine, and, crackers having learned not to boast, it stays a secret,
used by only a few, and never comes to the attention of CERT.

Those two physically discrete interfaces may now be all that's left of
your firewall, and whatever logging is in place may be all that you have
by which to detect such a breakin, if they don't actually try to break in
to the gateway itself ( which is, of course, being closely monitored at
all times ).

Also, two interfaces makes for better throughput ...


-- richard

=====
-- richard childers		rchilder @
 us .
 oracle .
 com		1 415 506 2411
         oracle data center  --  unix systems & network administration

                    Klein flask for rent. Inquire within.


Indexed By Date Previous: what shall thy firewall hardware be?
From: Bill Wohler <wohler @ sap-ag . de>
Next: Re: what shall thy firewall hardware be?
From: Brent Chapman <brent @ GreatCircle . COM>
Indexed By Thread Previous: what shall thy firewall hardware be?
From: Bill Wohler <wohler @ sap-ag . de>
Next: Re: what shall thy firewall hardware be?
From: Brent Chapman <brent @ GreatCircle . COM>

Google
 
Search Internet Search www.greatcircle.com