[25230] in North American Network Operators' Group
Re: "firewalls" at high speed -- was Re: FW: your mail
daemon@ATHENA.MIT.EDU (Alex P. Rudnev)
Mon Sep 27 09:02:02 1999
Date: Mon, 27 Sep 1999 16:46:18 +0400 (MSD)
From: "Alex P. Rudnev" <alex@Relcom.EU.net>
To: "Howard C. Berkowitz" <hcb@clark.net>
Cc: nanog@merit.edu
In-Reply-To: <v04011703b41512164443@[168.143.1.215]>
Message-ID: <Pine.SUN.3.91.990927164447.25341a-100000@virgin.relcom.eu.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
Perfectly...
On Mon, 27 Sep 1999, Howard C. Berkowitz wrote:
> Date: Mon, 27 Sep 1999 08:27:27 -0400
> From: Howard C. Berkowitz <hcb@clark.net>
> To: nanog@merit.edu
> Subject: "firewalls" at high speed -- was Re: FW: your mail
>
>
...
>
>
> All good points. Something else to consider: with increasing cryptographic
> security requirements, the "firewall" (ambiguous term as it is, but let's
> think of it as a stateful packet screen -- the major approach at high
> speed) is not the only device between you and the outside. It's worth
> thinking of:
>
> Bastion hosts -- not trusted with crypto keys
> Security gateways -- trusted to do encryption
> IPsec gateways
> SSL/TLS proxies
> Conduits with access lists -- for host-to-host encryption, where
> the firewall wouldn't add value
>
> There is also the very murky area where logging and intrusion detection
> mix, and whether they can operate at these speeds/
>
>
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
