Firewall Wizards mailing list archives
Re: Lucent Managed Firewall
From: Chris Calabrese <chris_calabrese () yahoo com>
Date: Thu, 7 Sep 2000 08:33:54 -0700 (PDT)
While I haven't used the LMF in a production setting, I did have one in the lab for a while and some pretty extensive banging on it... The LMF appears to be a reasonably good implementation of a pure stateful inspection firewall. I was particularly impressed with how easy it was to configure and install. Unlike most so-called appliances, this one actually is quite toaster-like and requires almost no touching of anything other than the GUI, and I really appreciated the ability to farm out different admin tasks to different users by role/user/zone tuples. Also, they have a NIST Common Criteria evaluation, which will be important for US Government implementations (and possibly others). However, the LMF in its current form is certainly is not without its problems. For one thing, Lucent has based the LMF on rather slow hardware by modern standards. For the most part, this works pretty well because the software is very efficient. But it causes problems in places where there are inherently compute-intensive or memory-intensive things going on, like packet fragment reassembly (they've got a crypto add-in card, so I won't count that). For this reason, it's probably not the best choice if you need very high speed. This is where the appliance approach breaks down. With non-appliance systems, I can always throw more hardware at the problem. Another weakness is the minimalist approach taken to application handling. In particular, there is no built-in support for HTTP and FTP application-level protections against things like long URL's and directory names (something the proxy firewalls all have and at least some of the other stateful inspection firewalls have recently added). Also, according to the Lucent folks I talked to, the RealAudio inspection rules open the entire RealAudio UDP range, rather than statefully opening only the ports actually in use. Similarly, there are no built-in capabilities for detecting or defending against network-level attacks like x-mas tree packets or protecting machines with weak TCP initial sequence number generation. Again, this is an area where the proxy firewalls are way ahead, but where at least some of the other stateful inspection firewalls have made at least some headway. There is integrated support for RealSecure, so it is possible to get some of this protection back by implementing that product. Finally, the fact that the system operates as a bridge rather than a router is both a blessing and a curse. A blessing because you can easily insert and remove these things from the network without renumbering everything. A curse because you need to renumber everything if you are replacing an existing firewall that does operate as a router (virtually everything else on the market). This was a pain in our testing where we needed to use one network numbering for the LMF and another for everything else. We cleverly numbered everything to require only netmask changes, but even that was painful when we wanted to run the same test over several different firewalls and we needed to go change all the netmasks on all the machines in the test setup when we got to the LMF (and then change everything back afterwards). __________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- RE: Lucent Managed Firewall adam (Sep 07)
- <Possible follow-ups>
- Re: Lucent Managed Firewall Chris Calabrese (Sep 07)