RE: New FW architecture? (was RE: Time for a new FWTK?)

["Stout, William" <StoutW () pios com>]

(Forgive my ramblings).

I believe this is natural evolution of the firewall architecture (Note
that I did not say proxy server).  IMNSO - It's inane to force all the
possible protocol filtering requirements of a corporation onto one box,
especially if one user exposes the entire corporation to a new unproven
protocol.

'The Internet' is a collection of compartmented networks.  For easier to
manage and monitor security, you can compartmentalize networks further
with additional firewalls.  However the only way that one could manage
the security of a large number of firewalls is to delegate some of the
authority and decisions to departments, and monitor them centrally.

If we forced a 'DMZ backbone' on corporations they'd puke, due to the
need to completely redesign their network architecture.  So let's
compact it.  Collapse the backbone into a switch.  Rack of proxy
servers.  Security management station.  Multiport IDS box.  Dynamic
rules.  Direct access requirement for privileged admin, remote access
for departmental admin.  'Spanning tree' or loop detection (to prevent
cross-departmental lines).  Here:

                         
      To management      ----------
      bus/net     -> x---| FW & IDS|
                         | Mgt Sys |
    Monitor   +----------|         |--->other places as required
      port -> |          ----------
     -----------     x---|         |         
     |         |---------| FW-a    |---------Department a (MIS)
     | 'VPN'   |         ----------          
     | Switch  |     x---|         |---------Department b 
     |         |---------| FW-b    |         
     |         |         ----------          
     |         |---------|         |         
     |Collapsed|     x---| FW-c    |---------Department c
     |backbone |         ----------          
     |  'DMZ'  |---------|         |---------Department d
     -----------     x---| FW-d    |         ...etc...
              |          ----------
              +----------| (weak)  |
                         | FW-I    |--->Internet 
                         ----------

The IDS and management station could potentially be combined.  With
enough horsepower, the group could be combined into a single system
running multiple O.S. partions.  (Gee, this almost looks like a IBM SP
system).  

It would be interesting if the IDS system could control the DMZ switch.

It would be interesting if the FWs were also IDS probes (clients).

One could rename 'Department' to 'zone' so one could visualize 'zoning'
the corporation by building, location, etc, rather than divide it along
departmental lines.

The Internet firewall could be more than one for high bandwidth/failover
needs.

BTW - I do like the idea of making the IS department an internal ISP.
That potentially opens a whole new competitive market of service
providers who might be able to provide better service than an IS
department.

Bill Stout

PS - John McDermott's idea of CI, DI, OI nomenclature is good, but I get
confused too easily by multiple terms.