Brian Ford wrote:
>
> Martin,
>
> >I don't know so much details about how your products are builded and
> >designed, but... Don't you think that using the same box as a
> >Firewall/router/switch and as IDS could overload the device (the box)???
>
> Does adding FW-1 to a Nokia box overload the box? That's another vendor's
> software product on a Nokia blade. You rely on those vendors abilities to
> integrate and perform joint testing.
The Nokia Box is only a Firewall! And only does firewall tasks... :-P
> Where ever possible at Cisco we use either a dedicated processor (sensor) or
>co-processors (blade).
The problem of "overloading" or "ovelapping" functionalities of IDS and
Firewall is not only processor use: is the fact you have a single point of
failure in your network, so Denial of Service (most useful
attack to network devices) can do so much danger with no way to trace
the attack when is happening..
>
> In this instance Cisco developed and tests the operating system, the platform and
>feature
> (single vendor, minimizing risk). We do have a small background enabling new
>software features
Single vendor doesn't minimize risk. In fact as I see things, Single vendor
could
increase risk: See PPTP case as an example. Opening a product to public
strutiny
can be better for security improves... Remember:
"If I take letter, lock it in a safe, hide the safe somewhere in New York,
then tell you to read the letter, that's no security. That's obscurity.
On the other hand, if I take a letterand lock it in a safe, and then give
you the safe along with the design specifications of the safe and a hundred
identical safes with their combinations so that you and the world's best
safecrackers can study the locking mechanism - and you still can't open
the safe and read the letter - that's security" - Applied Criptography -
Bruce Schneier - Page XIX
> in our IOS on our platforms without adversely effecting the performance of
> the underlying platform (NAT, QOS, etc...). We open the architecture to
> support standards (i.e. the MIB) and to create an environment where third
> parties can create focused management and reporting capabilities.
Which is good, but keep routers routing, switches switching and so on...
As a digest, from Computer Security Journal Number 4, Fall 1998, "Critical
Security Flaws in Electronic Commerce Systems", page 11: "Using routers
to enforce Security policy". What happens with logs? Who cares about this
device? Security People or Network Administrators?? That's not only the
technical issues... :-P
>
> >I see a bit dangerous relying in the same box to do both
> >thing.
>
> Is your concern complexity and testing? You need to rely on your
> vendor's track record for that. Wouldn't it be interesting if more devices
> in your network had the capability and you (or your agent) could turn the
> capability on and off as needed?
Complexity (not testing) it's only part of my concern. As software grows
and more functionality is integrated to the "same" box with no sense of
modularity (as I feel in this case, and please correct me if I'm wrong)
can increase software error risk...
"More easy, more useful" means "more complex" and then "more risky". Again,
see Microsoft cases... :-)
Thanx for your answer... I feel this discussion is really useful for me... ;-)
-- M. Hoz
--------------------------------------------------------------------
Seguridad en Computo 2000 Mexico - Computer Security 2000 Mexico
http://www.seguridad2000.unam.mx
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
