Firewall Wizards mailing list archives
Re: are firewalls limited to only protecting ehternet connections?
From: Darren Reed <darrenr () reed wattle id au>
Date: Sat, 10 Oct 1998 23:45:57 +1000 (EST)
In some email I received from KirkAdams, sie wrote:
Darren Reed wrote: <SNIP>Here's the question and concern. High bandwidth pipes, newer ones,we'retalking HIPPI pipes. Are there any firewall implentations that canmanagesuch a connection? Or is this too BIG a pipe and perhaps too new, andsonot available in existing implementations?0I think your limitations are going to be host based - what speed is your backplane rated at or in the case of a firewall, what's your system bus rated to, how fast can you move data around, including in and out of the CPU ? I can't see what would be so difficult aside from keeping up with the speed.<SNIP> One reason I see this as important is for the impending "streaming video" market that will be implemented. Basically the new "BlockBusters". Some video servers claim 20,000 concurrent 1 Meg video streams capability. So ... where do the switches come from to handle that. I've heard quotes of blah,blah gig backplanes, since I was checking on this myself and I raised the security question, (without any answers I might add). Since these services are likely to be prime targets of BOTH the super hacks and the existing cable thieves a good firewall would be REALLY important. OK, guys. That's the market potential. Any suggestions on something that'll handle it?
okay, this is a bit old now, but I suspect we have a "design" problem that is best illustrated by the "change" in how a (high end) Cisco works if there are any access lists in place. maybe someone will come up with a method of implementing a highly `branched' packet filter (that is it can distinguish easily between different classes of packets, including "good" and "bad" addresses) which can be programmed into hardware. but is having to use a ROM programmer just to update your ACL's an acceptable penalty ? and whilst you're at it, you might want to place the appropriate "triggers" in there for an IDS system. at present, I think we need to be content with leaving the switches doing high speed work (gigabit+) out of the filter/detection loop and only do those on network branches where the packet stream isn't quite as quick. sort of like a river but only with water flowing upstream rather than down. darren
Current thread:
- Re: are firewalls limited to only protecting ehternet connections? Darren Reed (Oct 01)
- RE: are firewalls limited to only protecting ehternet connections? KirkAdams (Oct 06)
- Re: are firewalls limited to only protecting ehternet connections? Darren Reed (Oct 13)
- <Possible follow-ups>
- Re: are firewalls limited to only protecting ehternet connections? Steven M. Bellovin (Oct 07)
- Re: are firewalls limited to only protecting ehternet connections? R. DuFresne (Oct 07)
- Re: are firewalls limited to only protecting ehternet connections? ICMan (Oct 09)
- Re: are firewalls limited to only protecting ehternet connections? Steven M. Bellovin (Oct 07)
- Re: are firewalls limited to only protecting ehternet connections? Steven M. Bellovin (Oct 09)
- RE: are firewalls limited to only protecting ehternet connections? KirkAdams (Oct 06)