Re: non-IP firewalls

[Bennett Todd <bet () rahul net>]

1998-04-29-23:23:41 ArkanoiD:
> A question is: what non-IP protocols can be (and should be) firewalled?

Given a broad enough definition of ``firewalled'', all of 'em. By that
broad definition, the access router doing xtacacs to our SecurID server
is the firewall for the dialup network (coming in on PRI).

In the few cases I've had to deal with non-IP networks coming in (a
couple of x.25-based feeds) I took the approach that since neither I nor
anyone else in our firm had any knowlege of the security model and
protocols used on the alien network, we'd just treat it as a portion of
the trust zone belonging to the other company. Park a neutral machine
out there to run their interface software, on a little one-host LAN, and
make it accessible to our in-house network through a router that's doing
NAT, and is configured to pass _nothing_ except outbound TCP 22 (ssh).
This makes it easy to configure who can get at this box, and easy to get
a handle on what damage this box can do --- namely, nothing but sabotage
the data we're buying from the other company anyway.

Happily, non-IP protocols seem to be dying out wherever you look. So
this problem is fading with time, though other problems are certainly
ramping up to take its place:-).

-Bennett