Firewall Wizards mailing list archives
Re: Sliding/Shifting/Morphing firewalls
From: "Stephen P. Berry" <spb () meshuga incyte com>
Date: Thu, 11 Feb 1999 18:20:16 -0800
-----BEGIN PGP SIGNED MESSAGE-----
One application would be for high-bandwidth site-to-site WAN networking across the Internet with a low possibility of D.O.S. vulnerability.
Ds of S. originating from the dreaded Internet, that is. If all the RAIFset pops are in the same geographic area you're still going to be pretty vulnerable to the ol' utilities company backhoe D.O.S.
A RAIDset of Firewalls or RAIFset just might do the trick. RAIF being modeled on the technologies of SSHF radio and disk RAIDsets (prior art), and would be done over parallel and redundant paths over public, public/private, or private links, using IP/IPsec. (I can hear my patent attorney choking himself now...). ;)
Presuming the evildoer(s) aren't privy to the constituent addresses of your RAIFset. Launching a D.O.S. against a half dozen addresses isn't markedly more difficult than launching a D.O.S. against one. I suppose you could add the additional abstraction layer of having a RAIBRset (a RAID set of border routers), each pointing to a different upstream provider, for every firewall in your RAIFset...but that's just adding additional -complexity- to the problem of launching a successful D.O.S., rather than adding additional -difficulty- (if you understand the distinction). This is of course one of the fundamental problems of using public channels. No matter how cleverly you manage your little corner of the net, there are always going to be bits upstream that you don't control. When you're investigating problems, you will invariably discover that those bits not under your control are in fact adminstered by groups of uberlusers who possess diagnostic skills roughly on a par with a troop of mildly concussed tarsiers. If you're relying on them for high availability bandwidth or, heavens forfend, security, you're going to get chumped.
'Course the RAIFset would have to be coded with a daily key for the random but predictable pattern of addresses:ports used to create an aggregated trunk.
In terms of bandwidth, the best method would probably be to use a PRNG with a reasonably long period. Set the seed during the initial setup of the constituent firewalls in the RAIFsets, and then exchange a new seed at some pre-defined interval (some wee bit less than your PRNG's period). You could also pass the next (and perhaps prior) port(-s) and address(-es) in the header of each packet, although this would pragmatically mean turning your RAIFset into a defragmenting router unless you had some mechanism for insuring a fixed latency across any possible data paths. Retransmits---presumably only neccessary if you lose both a data packet and a parity packet---would also be a bitch. - -Steve -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNsOPsirw2ePTkM9BAQFe9wP/XiY5FbLeKdu3Mt2UCnbGtCFVYKsIsAeE eKKcVwQ36ICJXSkVFtXLq9fPO/RFhsS9OKeYkxuZSy41huPEFBLgxq4vB9w3HCLx CjytJaL1OdoMlpkZJy7qseRY4ney1mmgnA+j2R80k6hgzpJ0ipUHFxE2O+WyxKyR 6qV8dbr8f1I= =CNDi -----END PGP SIGNATURE-----
Current thread:
- Sliding/Shifting/Morphing firewalls Stout, Bill (Feb 10)
- Re: Sliding/Shifting/Morphing firewalls Chris Cappuccio (Feb 10)
- Re: Sliding/Shifting/Morphing firewalls cbrenton (Feb 10)
- <Possible follow-ups>
- RE: Sliding/Shifting/Morphing firewalls Stout, Bill (Feb 10)
- Re: Sliding/Shifting/Morphing firewalls Stephen P. Berry (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls Safier, Adam (GEIS) (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls cbrenton (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls Stout, Bill (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls Stout, Bill (Feb 11)
- Re: Sliding/Shifting/Morphing firewalls Stephen P. Berry (Feb 11)
- Re: Sliding/Shifting/Morphing firewalls Joseph S D Yao (Feb 12)
- Re: Sliding/Shifting/Morphing firewalls Stephen P. Berry (Feb 11)
- Re: Sliding/Shifting/Morphing firewalls montenegro (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls Safier, Adam (GEIS) (Feb 11)
- RE: Sliding/Shifting/Morphing firewalls ark (Feb 12)
- RE: Sliding/Shifting/Morphing firewalls Stout, Bill (Feb 12)