Re: Perimeter Firewalls

[Deke Kassabian <deke () ISC UPENN EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Wesley,

By I2 are you referring to Internet2?

One option that some Internet2 institutions may choose is not to have
a perimeter firewall at all (other than some very minimal filtering to
toss spoofed traffic and maybe the attack-of-the-week).  Instead we
may run a relatively open network with control points like firewalls
closer to specific protected assets (certain application servers or
data stores, some research groups, some specialized equipment, etc).
This can in some cases allow for advanced applications to better use
high bandwidth, low latency networks -- without adding unexpected
speed bumps for researchers and developers who may be working on new
applications and services we hadn't anticipated -- while still
protecting specific elements of the network.

I believe that this approach can potentially provide more finely tuned
control then a perimeter firewall since each firewall can be
specifically tuned to a task.  I think it also tends to help with the
"inside problem", which is that the larger the community of users on
the inside, the more likely that eventually one of them will become
motivated to attempt to compromise another system on the inside, or
the security of the firewall itself. The perimeter firewall is in no
position to help here.

For more of my rantings on this subject, you can find my 2.5-year-old
thinking on this subject at
<http://pobox.upenn.edu/~deke/writing/fwatpenn.html>.

Best,
^Deke


- --On Tuesday, August 9, 2005 4:22 PM -0400 "Russell, Wesley
(NIH/NLM)"
<russellwes () NLM NIH GOV> wrote:
> We are wondering, which firewall solutions I2 organizations are
> using at their perimeters?
>
> More specifically, we have a requirement to support jumbo frames and
> multicast at gigabit speeds through our perimeter. We want it to run
> at layer 3. So the firewall needs to support multicast at layer 3,
> not just pass multicast at layer 2. We are aware of the Lucent and
> NetScreen products, and want to see if anyone has experience using
> these or other firewalls that meet the requirements above.
>
> Thanks for any help.
>
> Wesley Russell
> Head, Network Engineering Section, OCCS
> National Library of Medicine, NIH
> wrussell () nlm nih gov
> Office: (301) 496-8462


- -------
Deke Kassabian,  Senior Technology Director
Information Systems and Computing, University of Pennsylvania
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iQCVAwUBQvpKGAdgpibJswu9AQJu8QP/REaJbF7cyPNivmHiwueYXUrRir3217yM
XolOjZaJr86o5adFNvS9m2b4GRM0umAh+9CwKjwVGUVjxtkWQtBG5bc3QloX2fsY
y2V7kx8v1A+yDDUqLLMv/mdL2AfQUoVKZ5hw0ukEgHxkz806t0SE/TYNInCrSe4N
AtcoFfgH3FE=
=5yyM
-----END PGP SIGNATURE-----