Great Circle Associates Firewalls
(March 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: DOS based firewalls: Hancock's Reply
From: Rabid Wombat <wombat @ mcfeely . bsfs . org>
Date: Tue, 26 Mar 1996 07:48:08 -0500 (EST)
To: mdr @ vodka . sse . att . com
Cc: firewalls @ GreatCircle . COM
In-reply-to: <9603251514 . AA02715 @ ig4 . att . att . com> 
On Mon, 25 Mar 1996 mdr @
 vodka .
 sse .
 att .
 com wrote:

(much snipped)
> 
> I understand.  And I feel for you.  But on the other hand, I think
> that KMG's reaction does represent a perpertual question w.r.t your
> product's implementation.  The question is: what have you done to
> address the problem?  Booting off DOS and taking over (if that's what
> you do) is certainly a viable approach.  But it needs to address host
> security to guarantee for example that the binaries that you boot have
> not been modified.  It also needs some method of monitoring its own
> operation.  That's not easy.  Your application may start looking like
> an operating system, and then we're back to OS security again.
> 

Many good points on all sides, except perhaps for the OS-jihad that grew 
out of this ...

However,

There is room for a range of firewall products - not everyone needs, or 
can afford, some of the levels of protection that are available. Just 
because one cannot afford the best locks around, two armed guards, and 
closed circuit t.v. doesn't mean that the door should be left unlocked. 
This is not an all-or-nothing proposition.

There seems to be a tremendous market out there for a relatively simple
system that can protect somewhat lax host-security on the inside from 
"most basic" efforts from the outside (drawing the line at 
play-in-the-middle attacks and such). While this is admittedly poor 
security practice, it is a market-driven occurence. Many new sites are 
connecting every day, and they are looking for basic "car alarm" security 
- won't keep out the professional, but "better than nothing." This is 
probably not going to change any time soon, unless a major exploitation 
occurs that manages to attract attention well beyond the IS community.

Many of these sites can scarcely afford a full-time, qualified sys. 
admin, let alone dedicated infosec pros. A system that can do the basics, 
is self-contained ("firmware") and runs on a platform that these people 
understand would seem to have a niche.

I'm sure everyone's products have room for improvement. Isn't that why 
we're all here?

- r.w.

p.s. Thanks for the info, Mark. Informative, as always.
References:
Indexed By Date Previous: Re: What talks on port 113?
From: XINCLXFirewalls-ml @ scet . org . uk (Firewalls-ml Conference @ scet.org.uk)
Next: Re: nuclear war and backhoes
From: "Jonathan M. Bresler" <m1jmb00 @ FRB . GOV>
Indexed By Thread Previous: Re: DOS based firewalls: Hancock's Reply
From: mdr @ vodka . sse . att . com
Next: Re: Table of Contents
From: Shawn Steele <shawn @ aob . org>
Google
 
Search Internet Search www.greatcircle.com