Great Circle Associates Firewalls
(March 1995) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Feeping Creaturism in routers (was Re: Response to Satan)
From: "Barry J. Archer" <boatmens!bja @ uustar . starnet . net>
Date: Fri, 31 Mar 1995 10:19:26 -0600 (CST)
To: firewalls-digest @ greatcircle . com 
  Geecch...this is, IMHO, getting a bit silly.  Why is ntp on a router any
more creaping featurism than ntp on a Bastion host?  Particularily, since 
I'll bet that some of these routers have more resources and better separation
of function code-wise than some bastion OS's code.  In a previous life I got
to play with some untested code on a cisco router that was both heavily 
active, handling multiple protocols and had extensive extended access-lists
( including DECnet ;-) ).  No sweat. I've always been impressed with the 
independence of function, as well as the default OFF state shipped.  I'm 
sure other routers out there have similar care taken in their kernel and
functional design.

  As the B&C bible says, packet filtering routers and bastion hosts are 
*BOTH* important *tools* in constructing an organization's security-controlled
interface to (the internet)|(other departments)|(other private nets), ie.
a firewall.  I really think there's much more to be gained in exploring 
firewalls to discuss how packet-filtering routers and bastion hosts 
*compliment* each other in applying security policies to connectivity.

  I personally like using packet-filtering to control/limit/log what sort of
traffic can even reach the fwtk host, or get passed where from inside the
production net(s).  One question I'm asking myself is which is better: a 
single multihomed firewall environment or multiple individual firewalls.  
I think simplicity is good, but it can be overly relied on.  There are 
going to be situations that call for permitting access to and from 
networks of differing levels of security, and not everyone can afford the 
luxury of only running "totally secure" applications, if such beasts exist.
So, I think these creatures are going to have to evolve into carefully 
integrated systems comprised of specialized components: packet filters,
bastion hosts, DMZ denizens, etc.

  In other words, I don't think there's going to be a single, holy grail 
of firewall products or components that will fit all sizes and needs.  
Plenty to do for consultants, vendors and internal feeps, all.  

  :-)

  - Barry 
  < disclaimer: these opinions are mine, mine, MINE! ;-) >
===============================================================================
 Barry Archer           Boatmen's Investment Banking Division TSO
Indexed By Date Previous: Re: Encryption packages
From: bmanning @ ISI . EDU
Next: re: 95% undetected
From: Ron Tencati +1-301-441-4081 <TENCATI @ NSSDCA . GSFC . NASA . GOV>
Indexed By Thread Previous: Re: Feeping Creaturism in routers (was Re: Response to Satan)
From: greep @ datatools . com (Steven Tepper)
Next: GE & Lessons Learned
From: vin @ shore . net (Vin McLellan)
Google
 
Search Internet Search www.greatcircle.com