Educause Security Discussion mailing list archives
Re: Perimeter Firewalls
From: Deke Kassabian <deke () ISC UPENN EDU>
Date: Wed, 10 Aug 2005 14:40:17 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Wesley, By I2 are you referring to Internet2? One option that some Internet2 institutions may choose is not to have a perimeter firewall at all (other than some very minimal filtering to toss spoofed traffic and maybe the attack-of-the-week). Instead we may run a relatively open network with control points like firewalls closer to specific protected assets (certain application servers or data stores, some research groups, some specialized equipment, etc). This can in some cases allow for advanced applications to better use high bandwidth, low latency networks -- without adding unexpected speed bumps for researchers and developers who may be working on new applications and services we hadn't anticipated -- while still protecting specific elements of the network. I believe that this approach can potentially provide more finely tuned control then a perimeter firewall since each firewall can be specifically tuned to a task. I think it also tends to help with the "inside problem", which is that the larger the community of users on the inside, the more likely that eventually one of them will become motivated to attempt to compromise another system on the inside, or the security of the firewall itself. The perimeter firewall is in no position to help here. For more of my rantings on this subject, you can find my 2.5-year-old thinking on this subject at <http://pobox.upenn.edu/~deke/writing/fwatpenn.html>. Best, ^Deke - --On Tuesday, August 9, 2005 4:22 PM -0400 "Russell, Wesley (NIH/NLM)" <russellwes () NLM NIH GOV> wrote:
We are wondering, which firewall solutions I2 organizations are using at their perimeters? More specifically, we have a requirement to support jumbo frames and multicast at gigabit speeds through our perimeter. We want it to run at layer 3. So the firewall needs to support multicast at layer 3, not just pass multicast at layer 2. We are aware of the Lucent and NetScreen products, and want to see if anyone has experience using these or other firewalls that meet the requirements above. Thanks for any help. Wesley Russell Head, Network Engineering Section, OCCS National Library of Medicine, NIH wrussell () nlm nih gov Office: (301) 496-8462
- ------- Deke Kassabian, Senior Technology Director Information Systems and Computing, University of Pennsylvania -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iQCVAwUBQvpKGAdgpibJswu9AQJu8QP/REaJbF7cyPNivmHiwueYXUrRir3217yM XolOjZaJr86o5adFNvS9m2b4GRM0umAh+9CwKjwVGUVjxtkWQtBG5bc3QloX2fsY y2V7kx8v1A+yDDUqLLMv/mdL2AfQUoVKZ5hw0ukEgHxkz806t0SE/TYNInCrSe4N AtcoFfgH3FE= =5yyM -----END PGP SIGNATURE-----
Current thread:
- Perimeter Firewalls Russell, Wesley (NIH/NLM) (Aug 09)
- <Possible follow-ups>
- Re: Perimeter Firewalls Deke Kassabian (Aug 10)
- Re: Perimeter Firewalls Graham Toal (Aug 10)