Martin,
<snip>
> >
> > Does adding FW-1 to a Nokia box overload the box? That's another vendor's
> > software product on a Nokia blade. You rely on those vendors abilities to
> > integrate and perform joint testing.
>
>The Nokia Box is only a Firewall! And only does firewall tasks... :-P
Huh? Nokia sells that product as a router. IPSO is a router OS. CheckPoint adds
firewall capability.
> > Where ever possible at Cisco we use either a dedicated processor (sensor) or
>co-processors (blade).
>
>The problem of "overloading" or "ovelapping" functionalities of IDS and
>Firewall is not only processor use: is the fact you have a single point of
>failure in your network, so Denial of Service (most useful
>attack to network devices) can do so much danger with no way to trace
>the attack when is happening..
Single point of failure can be addressed via redundancy and resiliency features such
as HSRP , VRRP, and stateful failover. Single point of failure is less a product
feature problem and more often a sign of a bad design.
> >
> > In this instance Cisco developed and tests the operating system, the platform and
>feature
> > (single vendor, minimizing risk). We do have a small background enabling new
>software features
>
>Single vendor doesn't minimize risk. In fact as I see things, Single vendor
>could
>increase risk: See PPTP case as an example. Opening a product to public
>strutiny
>can be better for security improves... Remember:
>
>"If I take letter, lock it in a safe, hide the safe somewhere in New York,
>then tell you to read the letter, that's no security. That's obscurity.
>On the other hand, if I take a letterand lock it in a safe, and then give
>you the safe along with the design specifications of the safe and a hundred
>identical safes with their combinations so that you and the world's best
>safecrackers can study the locking mechanism - and you still can't open
>the safe and read the letter - that's security" - Applied Criptography -
>Bruce Schneier - Page XIX
In a perfect world, where customers had the technical means (in the form of equipment
and trained people) I would agree with you (and Schneier). But in the world we live
and work in today the majority of the people want a vendor that will do their very
best to design, produce, and support product.
> > in our IOS on our platforms without adversely effecting the performance of
> > the underlying platform (NAT, QOS, etc...). We open the architecture to
> > support standards (i.e. the MIB) and to create an environment where third
> > parties can create focused management and reporting capabilities.
>
>Which is good, but keep routers routing, switches switching and so on...
>
>As a digest, from Computer Security Journal Number 4, Fall 1998, "Critical
>Security Flaws in Electronic Commerce Systems", page 11: "Using routers
>to enforce Security policy". What happens with logs? Who cares about this
>device? Security People or Network Administrators?? That's not only the
>technical issues... :-P
What happens to logs?; and Who cares for (manages) the device? are not technical
issues. They are people and control issues that should be dealt with in a proper
security policy document.
It's all about choice. If you don't want IDS in your router or switch, you can order
it that way.
> > >I see a bit dangerous relying in the same box to do both
> > >thing.
"relying" yes. Incorporating the capability into your network design, no.
> > Is your concern complexity and testing? You need to rely on your
> > vendor's track record for that. Wouldn't it be interesting if more devices
> > in your network had the capability and you (or your agent) could turn the
> > capability on and off as needed?
>
>Complexity (not testing) it's only part of my concern. As software grows
>and more functionality is integrated to the "same" box with no sense of
>modularity (as I feel in this case, and please correct me if I'm wrong)
>can increase software error risk...
Putting more functionality into a box is an industry trend. It has been for years.
Look at anybodies switch. What layer does it work at? Again, the majority of
customers are voting for this with their product choices.
>"More easy, more useful" means "more complex" and then "more risky". Again,
>see Microsoft cases... :-)
>
>Thanx for your answer... I feel this discussion is really useful for me... ;-)
Well said!
Regards,
Brian
<snip>
Brian Ford
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
