Firewall Wizards mailing list archives
Re: non-IP firewalls
From: Bennett Todd <bet () rahul net>
Date: Thu, 30 Apr 1998 04:09:03 -0700
1998-04-29-23:23:41 ArkanoiD:
A question is: what non-IP protocols can be (and should be) firewalled?
Given a broad enough definition of ``firewalled'', all of 'em. By that broad definition, the access router doing xtacacs to our SecurID server is the firewall for the dialup network (coming in on PRI). In the few cases I've had to deal with non-IP networks coming in (a couple of x.25-based feeds) I took the approach that since neither I nor anyone else in our firm had any knowlege of the security model and protocols used on the alien network, we'd just treat it as a portion of the trust zone belonging to the other company. Park a neutral machine out there to run their interface software, on a little one-host LAN, and make it accessible to our in-house network through a router that's doing NAT, and is configured to pass _nothing_ except outbound TCP 22 (ssh). This makes it easy to configure who can get at this box, and easy to get a handle on what damage this box can do --- namely, nothing but sabotage the data we're buying from the other company anyway. Happily, non-IP protocols seem to be dying out wherever you look. So this problem is fading with time, though other problems are certainly ramping up to take its place:-). -Bennett
Current thread:
- Re: non-IP firewalls Chris Brenton (May 01)
- Re: non-IP firewalls David Phelan (May 07)
- <Possible follow-ups>
- Re: non-IP firewalls Bennett Todd (May 01)
- Re: non-IP firewalls Bernhard Schneck (May 01)
- Re: non-IP firewalls Marcus J. Ranum (May 01)
- Re: non-IP firewalls Mark Plesser (May 01)
- RE: non-IP firewalls Stout, William (May 01)