Chris Kostick wrote about SunScreen:
> I can't say I like the fact it is totally a blackbox.
Well, there are good and bad points to this, and you've pointed out only
the bad ones. First, being transparent (and having no ip
addresses on the filtering interfaces) makes it very hard to detect,
attack, and compromise from a malicious perspective. This is one area
where many of the current firewall products fail. They build a nice
packet filtering and/or proxy layer on top of a fully functioning unix
platform. Then you rely solely on the installer/administrator to secure
the OS before installing and configuring the firewall software. As we
know, this can be a daunting task for the security impaired.
Second, being basically a 4 port ethernet hub makes the SS very easy to
install into an existing environment. Most organizations have a hub
hooked directly off of their internet (or other untrusted network)
router anyway, so the SS just fits in between.
Third, being transparent makes it simple to integrate from a user
perspective. Humans resist change, and any time you add another level
of complexity for Susie accessing www.wasteoftime.com you're asking for
trouble. God forbid Susie be a manager, and your firewall funding gets
cut off. Traditionally, this was the benefit of packet filtering
firewalls over application level gateway firewalls. But that benefit is
now becoming void with "transparent" proxies from TIS, Raptor, etc.
With a transparent solution, Susie doesn't even know that her
packets have passed through a perimeter security device, been
authenticated, encrypted, (mangled), or whatever. Anyway, just a few
observations.
> I like to be able to see what's going on with the machine and, as
> a manager, interrogate it any way I please. You don't have that
> option with sunscreen.
Actually, you can interrogate the SunScreen from a management
perspective very easily. In the SunScreen Administration application on
the admin station, double click on the name of the SunScreen to
establish an encrypted connection to it. When the SS screen appears, go
to the "Miscellaneous" tab on the GUI and type "help" in the "Get
Special Information" field. You will be presented with a list of legal
commands to send to the SS. These commands will allow you to retrieve
all kinds of OS information. Of course, there are also the other 9 tabs
of information and statistics to look at if you're interested as well.
The SunScreen device itself is designed to coexist peacefully with your
comm equipment and never really be touched by human hands (other than
initial configuration). Much like a router, CSU, etc, the SS only has
idiot lights on the front panel and must be interrogated by the admin
station to get detailed operating stats. Again, just like a router,
CSU, etc. It's just a different philosophy than say a firewall
application running on a unix box. In that case you'd expect a directly
connected keyboard, mouse, monitor, etc to be your interface to finding
out what's up. Not so with comm gear, or with the SunScreen.
Norm
Norm Laudermilch
Trident Data Systems
norm_laudermilch @
tds .
com
|
|
