Re: non-IP firewalls

From: Marcus J. Ranum (mjrat_private)
Date: Fri May 01 1998 - 08:48:25 PDT

Next message: Feeney, Tim: "RE: Network Security Certification"

Previous message: darrenrat_private: "Re: How do we do our job?"
Next in thread: Mark Plesser: "Re: non-IP firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bernhard Schneck wrote:
>There's a package called Firewall/Plus which claims to be able to
>filter lots of different protocols (I think they claimed about 600),
>includung IPX, SNA and others.

It's a generic filtering engine that can be programmed to
"understand" various packets and data formats and firewall
them. Pretty slick stuff.

>>From what I read about it, it seems to be a packet filter starting
>at the MAC layer and working it's way up through the ethernet frame.

Correct. One interesting thing about it is that it can act
like a bridge, rather than a router (as most IP firewalls do).
Since it's handling potentially non-routed protocols, I guess
that's the only way to do it.

>I've never used or evaluated it yet, though.  If someone (independent
>from the vendor, with a reputable name in the field :-) has, I'd sure
>like to hear about her/his results.

I did some testing of one in 1995, back when it was a DOS program
rather than an NT application. This was part of a design review
I did for hire by the folks at Network-1. Basically, they asked me
to pound on their product and suggest ways to improve on it. There
was a lot to like about the firewall and fairly little to dislike.
I think the reason we don't see more of them is lack of effective
marketing and the fact that they were a late entry into the market.
Their NT version was late, too, so they never got sufficient
attention.

Things I liked/didn't like: (This is based on a 4 year old eval)
Liked: The fact that it acts like a bridge not a router. It's hard
	to launch attacks against something that doesn't admit it's
	there.
Didn't like: At that time there was no way to manage it remotely. I
	do not know if this has changed.
Liked: User interface was very powerful for a person who knows networking
Didn't like: User interface was too complex for a person who does not
	know networking
Loved: Comes with template policies that can be applied: "extremely
	restrictive security"  "permissive outgoing security" etc.
Liked: The one I looked at ran on DOS: this took guts. It probably
	hurt them terribly in the market.

Definitely a product worth taking a look at. Make your own decision.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Next message: Feeney, Tim: "RE: Network Security Certification"
Previous message: darrenrat_private: "Re: How do we do our job?"
Next in thread: Mark Plesser: "Re: non-IP firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:08 PDT