Re: non-IP firewalls

From: Marcus J. Ranum (mjrat_private)
Date: Fri May 01 1998 - 08:48:25 PDT

  • Next message: Feeney, Tim: "RE: Network Security Certification"

    Bernhard Schneck wrote:
    >There's a package called Firewall/Plus which claims to be able to
    >filter lots of different protocols (I think they claimed about 600),
    >includung IPX, SNA and others.
    It's a generic filtering engine that can be programmed to
    "understand" various packets and data formats and firewall
    them. Pretty slick stuff.
    >>From what I read about it, it seems to be a packet filter starting
    >at the MAC layer and working it's way up through the ethernet frame.
    Correct. One interesting thing about it is that it can act
    like a bridge, rather than a router (as most IP firewalls do).
    Since it's handling potentially non-routed protocols, I guess
    that's the only way to do it.
    >I've never used or evaluated it yet, though.  If someone (independent
    >from the vendor, with a reputable name in the field :-) has, I'd sure
    >like to hear about her/his results.
    I did some testing of one in 1995, back when it was a DOS program
    rather than an NT application. This was part of a design review
    I did for hire by the folks at Network-1. Basically, they asked me
    to pound on their product and suggest ways to improve on it. There
    was a lot to like about the firewall and fairly little to dislike.
    I think the reason we don't see more of them is lack of effective
    marketing and the fact that they were a late entry into the market.
    Their NT version was late, too, so they never got sufficient
    Things I liked/didn't like: (This is based on a 4 year old eval)
    Liked: The fact that it acts like a bridge not a router. It's hard
    	to launch attacks against something that doesn't admit it's
    Didn't like: At that time there was no way to manage it remotely. I
    	do not know if this has changed.
    Liked: User interface was very powerful for a person who knows networking
    Didn't like: User interface was too complex for a person who does not
    	know networking
    Loved: Comes with template policies that can be applied: "extremely
    	restrictive security"  "permissive outgoing security" etc.
    Liked: The one I looked at ran on DOS: this took guts. It probably
    	hurt them terribly in the market.
    Definitely a product worth taking a look at. Make your own decision.
    Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
    work -
    home -

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:08 PDT