>It seems the cost of routers and say a 486-66 based PC are similar. With
>a cutdown UNIX, screend (or similar) and appropriate comms hardware (too
>costly ?) would not such a configuration be a viable alternative to a router?
>One could the provide the filtering/logging/whatever services that suited the
>application and not be at the mercy of anyone in particular.
Depends on what you want. If you just want to protect your lan from the
internet, and you're only interested screening out a few things, then, yeah
it probably is more cost effective (especially if you're a unix guru and
your time is essentially free to your organization).
If you need to provide protection to thousands on hosts scattered over
a wide area (geographically or ip-wise), then what becomes important is
the implementation/assurance/maintenance of policy.
We have a tool that parses your filters and produces an english-language
report of the policy implemented. We wrote this so that we could provide
feedback to management at one site showing them what their policy was at
any moment in time. The atomic unit of the report is a "requirement"
(ip-source-address,ip-destination-address,application-service).
This site (a large DoD agency) has over 100,000 requirements implemented
across several hundred routers. The main issue here is not the cabilility
of the routers (or firewalls); it's assurance of correct policy implementation.
Your mileage is almost certain to be different, but don't be surprised if
your configuration changes daily.
- Ted
--------------------------------------------------------------------------
Ted Doty, Network Systems Corporation | phone: +1 301 596-2270
8965 Guilford Road, Suite 250 | fax: +1 410 381-3320
Columbia, MD, 21046 USA | voice mail: (800) 233-1485
--------------------------------------------------------------------------
if (setsockopt(skfd,SOL_SOCKET,STD_DISCLAIMER,(char *), &sbuff,&optlen) < 0)
printf ("Standard Disclaimers Apply ...\n");
|
|
