Security Basics mailing list archives
RE: Distributed Firewall
From: "Jared Valentine" <hidden () xmission com>
Date: Thu, 24 Apr 2003 13:29:30 -0600
"one console to rule them all" can be a good thing. It allows an admin to react quickly to a virus/worm/trojan that is spreading on the network. It could also be a bad thing if it were ever subverted. The mimicking of the remote console isn't much of an issue, as long as you can authenticate AND encrypt the command/control channels between the console and the distributed firewalls. That's what 3Com/Secure Computing's Embedded Firewall does. There are RSA pub/priv keypairs and 3DES session keys used to authenticate and encrypt the traffic between the console and the firewall cards. If you can get the private key that the console uses, and the console software, then you might be able to subvert the system. That's why you would take all possible measures to secure the console system. That machine needs firewall, AV, IDS, even physical security. Jared Valentine hidden () xmission com -----Original Message----- Sounds like a good idea but I see some flaws. Even with such a set up there is always the vulnerability of the remote console and the vulnerability of it being mimicked by a remote attack. Anything with a central control has the inherent weakness of the power of that control - which is one of the flaws that is trying to be avoided by a distributed firewall. Just my 2c. --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- Re: Distributed Firewall, (continued)
- Re: Distributed Firewall Nathan Ryan Milford (Apr 24)
- Re: Distributed Firewall Hannes Tschofenig (Apr 24)
- Re: Distributed Firewall Chris Burton (Apr 25)
- Re: Distributed Firewall Hannes Tschofenig (Apr 24)
- RE: Distributed Firewall David Gillett (Apr 24)
- Re: Distributed Firewall Kendric (Apr 24)
- Re: Distributed Firewall Hannes Tschofenig (Apr 24)
- RE: Distributed Firewall A Packard (Bugtraq) (Apr 24)
- RE: Distributed Firewall Ken Kousky (Apr 25)
- Re: Distributed Firewall Shadow (Apr 24)
- Re: Distributed Firewall Kendric (Apr 24)
- RE: Distributed Firewall Jared Valentine (Apr 25)
- RE: Distributed Firewall Conor F. Sibley (Apr 24)
- Re: Distributed Firewall Marcelo Olguin (Apr 24)
- Re: Distributed Firewall Joerg Over (Apr 24)
- Re: Distributed Firewall Hannes Tschofenig (Apr 24)
- RE: Distributed Firewall Chris Peden (Apr 25)
- RE: Distributed Firewall JAVIER OTERO (Apr 28)
- RE: Distributed Firewall Seth Knox (Apr 28)
- Re: Distributed Firewall Nathan Ryan Milford (Apr 24)