RE: non-IP firewalls

From: Stout, William (StoutW@pioneer-standard.com)
Date: Fri May 01 1998 - 13:19:25 PDT

Next message: Joseph S. D. Yao: "Re: Network Security Certification"

Previous message: Bruce K. Marshall: "Re: How do we do our job?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The Non-IP (multiprotocol) firewall issue is a loaded gun.  You're
talking about Intranet firewalling, and passing applications that are
not either designed to use a proxy or a packet filter.  Internal IP
applications tend to use random higher-number ports, just try to filter
ports 20000-30000.  Intranet includes LAN, private WAN and remote LAN
networks.

Since MIS groups primarily want things to work and security is a
secondary consideration, restrictions will cause workarounds, such as in
one company where IP is routed via FW-1, and all other protocols
(DECnet, IPX, NetBEUI, etc) are bridged via a direct connection.  

You can't successfully firewall a existing corporate Intranet.  Period.
The only way to bring Intranet firewalling into the network is with a
network redesign, and lots of thought about the applications.  If a
company's network or systems locations are dynamic, it's a lost cause.
It's better to monitor and record traffic with an IDS system.  

Network-1 is one of the few software choices when choosing a
multi-protocol firewall, and it has it's own issues that aren't present
when using standard router filtering.  It is an NDIS shim that resides
below the network stack, and should be independant of limitations of the
O.S..  However firewall management and control software runs in the
O.S., and various issues cause it to crash, most likely because NW-1
tech support is not obviously familiar with NTsecurity, hotfixes, or
patches.  Four of the issues that hopefully someone on this list from
NW-1 can address are the following:

1. File transfers >1.3GB cause FW-1 to crash, runs out of virtual
memory.
2. Sessions with excessive lifetime (>6 hours)fill NT virtual memory,
crash firewall.
3. Installation techs do not take any steps to harden the O.S. during
installation.
4. MS-TCP stack with all it's flaws is present and required for remote
management.

1 & 2 are probably fixable with a November hotfix related to NDIS
drivers running out of virtual memory (hint, hint).

OTOH, Bill Hancock is an impressive speaker, apparently knowledgable,
and knows his stuff.

Bill Stout

Next message: Joseph S. D. Yao: "Re: Network Security Certification"
Previous message: Bruce K. Marshall: "Re: How do we do our job?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:58:13 PDT