[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Firewall Product List
From:       KMcCann () idrc ! ca
Date:       1995-00-13 11:53:13
[Download RAW message or body]

>First, I appreciate the fact that you took time to mention "Blackhole"
>and share your experience.  The above recommendation, however, is lacking
>a number of technical pieces to support it.

Mea culpa. I just signed on to this list and am (was) not aware of the 
flavour or expectations.

>What makes you think that their transparency method allows total protection? 
> What is YOUR definition of total protection?  What exactly IS this method 
>and how do they implement it?  What do you mean by good stats?  Rejected 
>attacks?  How well have you tested the various security policies that this 
>firewall is supposedly enforcing?
                       
Okay, let me give a description of how BlackHole works:

- based on TCP routing principle which requires all IP packets between 
Internet and the protected network to pass through BlackHole.

- BH's operating system kernel is modified to disable all IP forwarding, 
source routing, and IP redirecting functions (ie no ICMP redirecting).

- monitors all inbound and outbound traffic and authorizes access based on 
what the administrator has specifically allowed via the maintenance of a 
table. By default, nothing comes in or out until the file is configured for 
the desired effect.

Transparency (which is what I originally wanted to illuminate):

- Once BH receives a packet requesting a connection, it will attempt to start 
a session to the target machine on behalf of the internal host. Once 
connected, BH will relay all packets between the private and the target 
hosts. Both hosts 'believe' they are communicating directly, but in reality, 
BH authenticates and passes traffic between them.

- internal users need not connect to a proxy server, then from there manually 
start another session to the target - as is the case with the other firewalls 
I looked at. BH allows for seamless connections. The end user sees no 
difference, and more importantly, Windows clients such as FTP and Telnet are 
not adversely affected by a two-step process. Seamless and transparent.

- "advanced" applications such as Mosaic are not inhibited -  due to 
transparency. With some other firewalls, sys admins will need to get the 
httpd proxy and slap it on. What about future applications? Will you 
continually have to wait until someone on the net writes a proxy? Will it be 
safe? These issues are of no concern with BlackHole, due to transparency.     
         

Logfiles:

- I have used the logfiles to not only show access denials, but also usage of 
Internet clients internally (FTP, Gopher, Telnet, Mosaic) as well as incoming 
and outgoing mail. There are stats for the entire centre as well as for 
individual users. We can see who the top WWW users are, who receives the most 
Internet mail, etc. These stats can be very useful for making a case to 
management. For example, I graphed usage of Gopher and WWW by our staff. By 
showing that the WWW usage was increasing and the gopher usage levelling off, 
I was able to convince management that we need to provide a WWW server for 
dissemination, in addition to the gopher server we have now (based on the 
assumption that if our own staff is leaning toward WWW, so might the rest of 
the Internet).                         

What I would humbly suggest is that if non-techie management types who are 
listening want to try it out, they should not simply believe Kevin McCann and 
instantly issue a purchase order. Rather, they should ask for an evaluation 
term and commission a technical person to test the yingyang out of it (as I 
did). 
    
Regards (and thanks for your point well made, Jeff),                          
                                            
      

[prev in list] [next in list] [prev in thread] [next in thread]