Great Circle Associates Firewalls
(November 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Promiscuous systems
From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Date: Fri, 18 Nov 94 13:22:59 -0500
To: "firewalls @ greatcircle . com"

Tim rites:

>One other possibility to keep people from using their machine to scarf packets
>from the network is to use a network card that provides access 
>control between host systems (which hosts can talk to which hosts) and 
>also encrypts all transfers on the network.  Such a beast has been around for 
>a few years (since 1985) and has been evaluated by NSA as a B2 level 
>network component.  
>It's not cheap (about 1K per network board) so it 
>might be overkill for some/most commercial situations but if you REALLY WANT 
>TO BE SURE that a user can't sit back in his PC, SUN, MAC, etc. and soak up 
>everything on your network then this is for you.

Have been evaluating similar things and have come to the conclusion that it is
not cost effective on a per-node basis. Per subnet it makes a lot more sense
so I have been examining assigning subnets along project/department/workgroup
lines where the individual nodes are trusted by each other and protecting the
connections to be backbone.

For a large installation like ours, equipping individual entities with 
firewall/filter/encryption capabilities makes sense in the macro. *Not*
having to specially equip every node makes cents in the micro. Win-Win
and *lots* easier to troubleshoot.

Of course what we *really* need is a $25.00 encryption add-in that can be 
plugged into the Boot-P ROM socket...

Indexed By Date Previous: Re: syslog in chrooted environment
From: jimc @ e-Commerce . Com (Jim Carroll)
Next: Re: terminology
From: Phil Trubey <phil @ netpart . com>
Indexed By Thread Previous: Re: A bit of DNS help
From: patrick @ oes . amdahl . com (Patrick Horgan)
Next: Re: Promiscuous systems
From: hcb @ clark . net

Search Internet Search