[164734] in North American Network Operators' Group
Re: which firewall product?
daemon@ATHENA.MIT.EDU (Blake Dunlap)
Tue Jul 30 20:14:07 2013
In-Reply-To: <CAP-guGXB39mQKBAv3jbmvFC_-XWNuJ1Sv3pvgQstUxKDPZR6vA@mail.gmail.com>
From: Blake Dunlap <ikiris@gmail.com>
Date: Tue, 30 Jul 2013 19:13:22 -0500
To: William Herrin <bill@herrin.us>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Understood. I expected as much but thought I'd ask. Most of my suggestions
would require more knowledge of the layout to be filtered out.
I really don't know what you'd find that would do what you want in this
case, based on the requirements stated previously. Sorry =/
I'd look more to finding a way to make it a truly isolated unit that they
could audit personally, instead of a distributed zone with boundaries in
the middle.
-Blake
On Tue, Jul 30, 2013 at 5:39 PM, William Herrin <bill@herrin.us> wrote:
> On Tue, Jul 30, 2013 at 5:36 PM, Blake Dunlap <ikiris@gmail.com> wrote:
> > Well, I guess my first question is: Is this a design you are stuck with
> for
> > some reason or alternately, is there a good reason for it, and I need to
> be
> > educated as to real world design? It seems rather odd to put a firewall
> > boundry between a LB and its associated cluster as opposed to in front of
> > the LB.
>
> Howdy,
>
> Paperwork. The customer owns 3 servers in a system of a consisting of
> a hundred or so. He wants his security people to accredit it. They
> won't accredit individual servers, so his options were: duplicate the
> full system just for him (very expensive) or create a security
> boundary where he can say, "This is my enclave. Accredit my enclave."
>
> Naturally his security people decide that they don't want the
> firewalls to be additional servers running Linux. That would make it
> far too easy to secure his system. I don't yet know if they'd accept
> an appliance running Linux underneath. :/
>
> -Bill
>
>
> --
> William D. Herrin ................ herrin@dirtside.com bill@herrin.us
> 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
> Falls Church, VA 22042-3004
>
