Received: by ccmail from relay4.UU.NET
>From firewalls-owner @
GreatCircle .
COM
X-Envelope-From: firewalls-owner @
GreatCircle .
COM
Received: from miles.greatcircle.com by relay4.UU.NET with ESMTP
id QQzjho07282; Fri, 29 Sep 1995 12:12:57 -0400
Received: (majordom @
localhost) by miles.greatcircle.com (8.6.9/Miles-950430-1) id
IAA04966 for firewalls-outgoing; Fri, 29 Sep 1995 08:31:58 -0700
Received: from gatekeeper.Bridge.COM (gatekeeper.bridge.com [167.76.159.11]) by m
iles.greatcircle.com (8.6.9/Miles-950430-1) with ESMTP id IAA04959 for <firewalls
@greatcircle.com>; Fri, 29 Sep 1995 08:31:55 -0700
Received: (from mailproxy @
localhost) by gatekeeper.Bridge.COM (8.6.12/8.6.9) id K
AA04151; Fri, 29 Sep 1995 10:25:57 -0500
Received: from ignatz.bridge.com(167.76.24.6) by gatekeeper.Bridge.COM via smap (
V1.0mjr)
id sma004134; Fri Sep 29 10:25:43 1995
Received: from ernie.bridge.com by ignatz.bridge.com with SMTP id AA23462
(5.67b/IDA-1.5); Fri, 29 Sep 1995 10:34:47 -0500
Date: Fri, 29 Sep 1995 10:34:47 -0500
From: Ken Hardy <ken @
bridge .
com>
Message-Id: <199509291534 .
AA23462 @
ignatz .
bridge .
com>
To: anton @
the-wire .
com
Subject: Re: Frame Relay firewalls???
Cc: firewalls @
greatcircle .
com, thierry @
namsa .
nato .
int
Sender: firewalls-owner @
GreatCircle .
COM
Precedence: bulk
Per Anton J Aylward <anton @
the-wire .
com>:
>>> breaches are conducted using IP. Traditional IP firewalls require
>>> packet reassembly for ATM networks. This has the disadvantage of
>>> introducing latency and is a performance bottleneck for otherwise high
>>> performance ATM networks. That means that most IP traffic traversing
>>> ATM networks is unprotected."
...
>I don't imagine that ATM swithces are any harder to hack than Frame Relay or
>"voice".
>Or vice versa.
...
>Re your quote: I don't see what packet re-assembly and altency has to do
>with the trafic being unprotected.
>Even if your data was in a single packet it could still be hijacked, cloned
>or whatever.
I believe that the initial quote is not talking about the switches
themselves, but just to the IP traffic which comes via ATM; the
company, which obviously has a product to sell and may be skewing
reality a bit, seems to claim that ordinary IP firewalls need the whole
IP packet, requiring reassembly.
ATM packets are small and fixed sized -- 5 bytes header and 48 bytes
payload. Don't recall details of what I read about IP over ATM (a
recent Computer Communications Review had an issue devoted to ATM --
v25n2 04/95), but I assume that the IP packets are spread among several
ATM packets, rather than using IP fragmentation and having an entire IP
packet, albeit a fragment, in each tiny ATM packet. (Corrections
welcome.)
It appears that this outfit has some sort of IP firewall (maybe just a
screen) for ATM that works without reassembling the IP packets,
achieving lower latency.
It would be interesting to know what they have and what real extra
value it offers. I posted the original press release. After having
done so, I repented somewhat and thought that perhaps I should just
have posted their URL for those really interested. But if it initiates
a discussion here that helps increase general knowledge of these issues
(like whether or not they're significant), without too much noise, it
may be for the best.
- KH
|
|
