Archived from groups: comp.dcom.lans.ethernet (More info?)

Has anyone developed an ethernet switch that integrates an Intel PC running
a BSD variant or Windows 2000? This would be a great platform for running
Checkpoint Firewall-1 in an environment where you wanted to put every PC
behind its own firewall-controlled port. I realize that Cisco's 6500 has a
firewall module, but a 6500 is a bit more expensive than I want to go.

Alternately, is there a PCI ethernet card that attaches to an external I/O
card with 10 or more 10/100 ports per card?

--
Will

Archived from groups: comp.dcom.lans.ethernet (More info?)

"Will" <DELETE_westes@earthbroadcast.com> writes:

>Alternately, is there a PCI ethernet card that attaches to an external I/O
>card with 10 or more 10/100 ports per card?

Just get a 1000mbit Port, and use VLAN support to run 10 or more separate
networks on it. We are quite happy with such a setup, using Linux' iptables
as the firewall code.

best regards
Patrick

Archived from groups: comp.dcom.lans.ethernet (More info?)

"Will" <DELETE_westes@earthbroadcast.com> writes:

> Has anyone developed an ethernet switch that integrates an Intel PC running
> a BSD variant or Windows 2000?

Nokia has/had a router product that was just like this.
It was basically Intel PC hardware in rack case,
one ot two multi port Ethernet card (4 poirts per card or so)
and an operating system based on BSD.

> This would be a great platform for running
> Checkpoint Firewall-1 in an environment where you wanted to put every PC
> behind its own firewall-controlled port.

Nokia sold their product with Checkpoint firewall as security appliance.
http://www.cisilion.com/security/checkpoint.htm

> I realize that Cisco's 6500 has a
> firewall module, but a 6500 is a bit more expensive than I want to go.
> Alternately, is there a PCI ethernet card that attaches to an external I/O
> card with 10 or more 10/100 ports per card?

I don't know any such product.

--
Tomi Engdahl (http://www.iki.fi/then/)
Take a look at my electronics web links and documents at
http://www.epanorama.net/

Archived from groups: comp.dcom.lans.ethernet (More info?)

"Tomi Holger Engdahl" <then@solarflare.cs.hut.fi> wrote in message
news:laj1x97nryq.fsf@solarflare.cs.hut.fi...
> "Will" <DELETE_westes@earthbroadcast.com> writes:
>
> > Has anyone developed an ethernet switch that integrates an Intel PC
running
> > a BSD variant or Windows 2000?
>
> Nokia has/had a router product that was just like this.
> It was basically Intel PC hardware in rack case,
> one ot two multi port Ethernet card (4 poirts per card or so)
> and an operating system based on BSD.

they still do - we use a lot of these in our hosted web sites at work
http://www.nokia.com/nokia/0,,43122,00.html

they also support gigabit ports - but i dont think the boxes can run them at
wire speed.
>
> > This would be a great platform for running
> > Checkpoint Firewall-1 in an environment where you wanted to put every PC
> > behind its own firewall-controlled port.
>
> Nokia sold their product with Checkpoint firewall as security appliance.
> http://www.cisilion.com/security/checkpoint.htm

just remember that checkpoint isnt cheap - a multiport config for your type
of application may well need the most expensive unlimited user count licence
>
> > I realize that Cisco's 6500 has a
> > firewall module, but a 6500 is a bit more expensive than I want to go.
> > Alternately, is there a PCI ethernet card that attaches to an external
I/O
> > card with 10 or more 10/100 ports per card?
>
> I don't know any such product.
>
> --
> Tomi Engdahl (http://www.iki.fi/then/)
> Take a look at my electronics web links and documents at
> http://www.epanorama.net/
--
Regards

Stephen Hope - return address needs fewer xxs

Archived from groups: comp.dcom.lans.ethernet (More info?)

Right, I know about Nokia. But I want something with 40+ ports on it and
true switch-like performance that can be used on an intranet as the backbone
of the network.

Nokia is a PC with a few four-port cards that runs a BSD variant and
Checkpoint in the kernel. I want the same concept with a true switch
instead of a PCI bus.

--
Will


"Tomi Holger Engdahl" <then@solarflare.cs.hut.fi> wrote in message
news:laj1x97nryq.fsf@solarflare.cs.hut.fi...
> > Has anyone developed an ethernet switch that integrates an Intel PC
running
> > a BSD variant or Windows 2000?
>
> Nokia has/had a router product that was just like this.
> It was basically Intel PC hardware in rack case,
> one ot two multi port Ethernet card (4 poirts per card or so)
> and an operating system based on BSD.

Archived from groups: comp.dcom.lans.ethernet (More info?)

"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:vOadnedGzrkSXPjfRVn-1w@giganews.com...
> Right, I know about Nokia. But I want something with 40+ ports on it
and
> true switch-like performance that can be used on an intranet as the
backbone
> of the network.
>
this is going to cost a fair amount of money - several reasons, but
expensive software and specialised hardware with relatively low numbers of
devices being made all push up the price.

> Nokia is a PC with a few four-port cards that runs a BSD variant and
> Checkpoint in the kernel. I want the same concept with a true switch
> instead of a PCI bus.

try the Alteon switched firewall (Nortel Networks) - same basic idea of a
packaged PC running checkpoint, but a specialised hardware switch can be
used to offload the traffic thru the firewall to hardware.

support 240 or so logical interface, 8 Gig ports, VLANs, virtual firewalls,
scaling up by adding more accelerators..

Netscreen make some dedicated boxes for a similar scale, or we go back to a
PIX firewall blade.

only other potential path is to use something like traffic filters rather
than a purpose made firewall - but even there you are going to want a high
end box to get hardware acceleration to get to the kind of performance you
are asking for - maybe a Cisco Catalyst 6509 / sup 720 / firewall IOS
combination, or maybe high end hardware from Foundry / Extreme?
>
> --
> Will
>
>
> "Tomi Holger Engdahl" <then@solarflare.cs.hut.fi> wrote in message
> news:laj1x97nryq.fsf@solarflare.cs.hut.fi...
> > > Has anyone developed an ethernet switch that integrates an Intel PC
> running
> > > a BSD variant or Windows 2000?
> >
> > Nokia has/had a router product that was just like this.
> > It was basically Intel PC hardware in rack case,
> > one ot two multi port Ethernet card (4 poirts per card or so)
> > and an operating system based on BSD.
--
Regards

Stephen Hope - return address needs fewer xxs

Archived from groups: comp.dcom.lans.ethernet (More info?)

"Will" <DELETE_westes@earthbroadcast.com> wrote:
>But I want something with 40+ ports on it and
>true switch-like performance

Why not a separate 48-port hardware-based switch for performance and
an external PC-based firewall?

Archived from groups: comp.dcom.lans.ethernet (More info?)

The beauty of using a firewall port for each machine on an Intranet is that
you can:

1) ...easily identify the source of a virus, as when you see a specific
machine originating huge amounts of SMTP traffic in the firewall log.
Likewise, you can easily spot some program or individual spoofing a
different machine's source IP and forbid such machines from getting out to
the intranet at all.

2) ...easily control the kinds of traffic allowed between machines on your
Intranet. For example, Programmers' computers might be able to browse
files on a test database server, but probably your bookkeepers' computers
cannot do that. Microsoft has its own approach to controlling access
using domain authenticated users. That doesn't help much when a key user
password is compromised, and frankly on many intranet machines breaking in
to the default security configuration for most Microsoft OS is not hard. A
firewall can facilitate setting much more ironclad security policies. For
example, in my example above the bookeepers' *computers* won't be able to
ping or test any port on most programmer related computers, and it won't
matter who logs into that machine. I'm fairly sick of relying on
Microsoft's "security", and I'm ready to call in the heavy weapons.

I'm sure that setting such rigid security through a hardware based firewall
on an intranet would be cumbersome for a huge company. But for a company
with less than 100 employees I think it would not be hard to administer the
software security policies on the firewall, if you made intelligent use of
Groups in your rules. And you would get payback over and over each time
you have a security breach on a specific machine.

--
Will


<William P. N. Smith> wrote in message
news:0odc6157kc8km8dj7q0r48f3et3q57amel@4ax.com...
> "Will" <DELETE_westes@earthbroadcast.com> wrote:
> >But I want something with 40+ ports on it and
> >true switch-like performance
>
> Why not a separate 48-port hardware-based switch for performance and
> an external PC-based firewall?
>

Archived from groups: comp.dcom.lans.ethernet (More info?)

Will wrote:

> The beauty of using a firewall port for each machine on an Intranet is
> that you can:
>
> 1) ...easily identify the source of a virus, as when you see a specific
> machine originating huge amounts of SMTP traffic in the firewall log.

Uh, you should be able to detect this using any network analyzer including
the one that comes with Windows Server.

> Likewise, you can easily spot some program or individual spoofing a
> different machine's source IP and forbid such machines from getting out to
> the intranet at all.

You don't need individual firewall ports to do this. All that you have to
do is block packets which come from machines that do not have a specific
matching of MAC and IP addresses. Has this been a problem on your system?
>
> 2) ...easily control the kinds of traffic allowed between machines on your
> Intranet. For example, Programmers' computers might be able to browse
> files on a test database server, but probably your bookkeepers' computers
> cannot do that. Microsoft has its own approach to controlling access
> using domain authenticated users. That doesn't help much when a key user
> password is compromised, and frankly on many intranet machines breaking in
> to the default security configuration for most Microsoft OS is not hard.

(a) The method that Microsoft uses they copied from Novell and Novell copied
it from Banyan and Banyan pretty much copied it from mainframes. It's time
tested and properly administered works fine for most situations.

(b) If a key password is compromised your security is down the toilet
regardless. What happens in your proposed system when the password for
your frankenfirewall is compromised?

> A
> firewall can facilitate setting much more ironclad security policies.

How "ironclad" do you need to be?

> For example, in my example above the bookeepers' *computers* won't be able
> to ping or test any port on most programmer related computers,

Have you had a problem with bookkeepers getting into the programmers'
machines? In any case this doesn't require each machine to have its own
firewalled port.

> and it
> won't
> matter who logs into that machine. I'm fairly sick of relying on
> Microsoft's "security", and I'm ready to call in the heavy weapons.

Why, do you have specific problems? It sounds to me like you haven't really
mastered Windows security and you're looking for some kind of shortcut.

> I'm sure that setting such rigid security through a hardware based
> firewall
> on an intranet would be cumbersome for a huge company.

It would be cumbersome for any sized company. What leads you to believe
that a company with ten thousand employees would have less need for such a
system than does yours?

> But for a company
> with less than 100 employees I think it would not be hard to administer
> the software security policies on the firewall, if you made intelligent
> use of
> Groups in your rules.

You might be surprised, considering that some of what you want to do
requires a different rule on each port.

> And you would get payback over and over each time
> you have a security breach on a specific machine.

It looks like you're making much more work for yourself than you need to.
Learn to use the tools you have properly. For example you talk about the
default security configuration on Windows servers. If you're in charge of
this network then why are you using the default configuration? And if you
don't have the authority to change the security configuration on the
servers I really want to be a fly on the wall the day that management finds
out that you've circumvented that stricture by micromanaging network
traffic.
>

--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net)

Archived from groups: comp.dcom.lans.ethernet (More info?)

"J. Clarke" <jclarke.usenet@snet.net.invalid> wrote in message
news479eh02tfr@news1.newsguy.com...
> Uh, you should be able to detect this using any network analyzer including
> the one that comes with Windows Server.

If you are using a switch, your sniffer won't see all of the traffic. If
you configure your switch to duplicate all traffic to the sniffer port, now
you create collisions that affect performance. The whole point of using a
switch was to optimize traffic flow and avoid collisions.

Do you want to leave your sniffer running 24 hours a day? And what if the
machine in question is spoofing its IP? Now you need to go look at MAC
addresses and look at your internal documentation about what host that might
be. And what happens if it is an unknown Mac address? Now you have to go
tear apart your facility looking for the device, which could be almost
anywhere.

If you have each host on its own dedicated firewall port, now any rogue
device can be immediately located to a specific geography by virtue of the
interface on which it enters the firewall.


> You don't need individual firewall ports to do this. All that you have to
> do is block packets which come from machines that do not have a specific
> matching of MAC and IP addresses. Has this been a problem on your system?

So now you want me to in effect configure firewall-like rules on every
target host? Why is it better to configure 40 hosts instead of configuring
one firewall? You sound like you just like the status quo a whole lot more
than you like saving your time.

I understand fully well that I can invest every hour of my life making every
computer on my network a fortress. That to me sounds a lot like
configuring 40 firewalls instead of investing time into configuring one.


> (a) The method that Microsoft uses they copied from Novell and Novell
copied
> it from Banyan and Banyan pretty much copied it from mainframes. It's
time
> tested and properly administered works fine for most situations.

I guess time tested explains why on the last four corporate networks of
really large corporations, when we plugged our notebooksto their internal
networks to give presentations we were immediately attacked by dozens of
viruses on many different machines. No one inside the companies noticed
and no one cared. It's easy to compromise a default-configured Windows
box. That's why 60% of all home machines are virus infested by some
estimates. You can use all of the Microsoft tricks like security profiles,
but when you turn up security all the way, now all of the default Microsoft
services stop working and you end up having to debug which resources they
need access to.

Why is this time-tested formula better than simply securing access by a
firewall, which offers a much more robust methodology, which is guaranteed
to offer many levels of protection even when the machine in question is in
an insecure configuration.


> (b) If a key password is compromised your security is down the toilet
> regardless. What happens in your proposed system when the password for
> your frankenfirewall is compromised?

No, you have missed the point completely. If you design access to secure
machines to only come from certain physically secured hosts, then anyone who
steals a userid and password won't be able to login to secured hosts from
non-secured workstations because those non-secured workstations are blocked
through a firewall. Having a stolen account when you don't have physical
access to a machine that can login to the resources you want doesn't do you
any good. Firewalls provide an additional layer of security above and
beyond what Microsoft's security layer provides. Each has its place, and
each complements the other if designed well.

Obviously if your firewall is compromised you are hosed. That's why you
physically secure a firewall, and if you are careful you only use separate
local accounts on the firewall to authenticate to it. Ideally you use
crypto devices to provide a physical token together with a known password,
so that a stolen account still cannot compromise that box.


> Why, do you have specific problems? It sounds to me like you haven't
really
> mastered Windows security and you're looking for some kind of shortcut.

I've read every 200 page security manifesto that Microsoft has written.
It takes me more time to secure a single Windows box and then debug
permissions that applications need to work than it does to set up a firewall
for an entire network. I just want to save time and get results. If you
think you can get better results by working with Microsoft's software, it is
a free world after all and I won't try to stop you.

--
Will

Archived from groups: comp.dcom.lans.ethernet (More info?)

I see that Cisco and several other switch vendors have features to just copy
data to a sniffer port. In our case we have many smaller switches from
different vendors rather than one large one, so I'm not sure how easy it
would be for us to have all network traffic on a single port. We would
also need to make sure that the size of the pipe on that one port was
sufficient to hold all of the network's traffic at any peak level, and that
might actually exceed a gigabit occasionally in our case.

It still seems like a hassle to deal with a layer 2 / layer 3 sniffer dump
compared to a firewall log when dealing with most security issues. I
acknowledge that the lower level of detail from a sniffer is sometimes what
you need. But I would rather pull out the special tool when I need it
rather than have the sniffer act in the role of a security monitor 24 hours
a day.

I'm comfortable with the way firewalls work, and I prefer to deal with a
firewall log's semantics as a first level response to a security issue. I
also want to be free to design a security policy that is imposed on the
network regardless of the configuration of the machines on that network. I
don't want a security policy that is a side-effect from how well I or others
remembered to configure individual machines on the network.

--
Will


"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:r7WdnUmlJJ39pfrfRVn-iQ@giganews.com...
> If you are using a switch, your sniffer won't see all of the traffic. If
> you configure your switch to duplicate all traffic to the sniffer port,
now
> you create collisions that affect performance. The whole point of using a
> switch was to optimize traffic flow and avoid collisions.

Archived from groups: comp.dcom.lans.ethernet (More info?)

Will wrote:

> "J. Clarke" <jclarke.usenet@snet.net.invalid> wrote in message
> news479eh02tfr@news1.newsguy.com...
>> Uh, you should be able to detect this using any network analyzer
>> including the one that comes with Windows Server.
>
> If you are using a switch, your sniffer won't see all of the traffic.

If it's broadcasts then all machines will see it. If it's going to the
Internet then the bastion host will see it. If it's not detectable by
either of those means then it's not producing the vast amount of traffic
that you claim.

> If
> you configure your switch to duplicate all traffic to the sniffer port,
> now
> you create collisions that affect performance.

No, you do not. You may create contention but if you create collisions then
you misconfigured something.

> The whole point of using a
> switch was to optimize traffic flow and avoid collisions.
>
> Do you want to leave your sniffer running 24 hours a day?

Yes. Why not? You might want to look at snort by the way.

> And what if
> the
> machine in question is spoofing its IP? Now you need to go look at MAC
> addresses and look at your internal documentation about what host that
> might
> be.

And this is a problem how?

> And what happens if it is an unknown Mac address? Now you have to
> go tear apart your facility looking for the device, which could be almost
> anywhere.

What happens if it's an unknown IP address? Same problem. In point of
fact, your switch should tell you what port is talking to that MAC address
and from there you should be able to trace out the cable to the offending
machine.

> If you have each host on its own dedicated firewall port, now any rogue
> device can be immediately located to a specific geography by virtue of the
> interface on which it enters the firewall.

All that tells you is what port it's on, which any managed switch will tell
you.

>> You don't need individual firewall ports to do this. All that you have
>> to do is block packets which come from machines that do not have a
>> specific
>> matching of MAC and IP addresses. Has this been a problem on your
>> system?
>
> So now you want me to in effect configure firewall-like rules on every
> target host? Why is it better to configure 40 hosts instead of
> configuring one firewall? You sound like you just like the status quo a
> whole lot more than you like saving your time.

No, I want you to configure firewall like rules on your firewall. As for
configuring firewall-like rules on every target host, configuring 40
firewalls is configuring 40 firewalls--it doesn't matter if they are all in
one box or are on 40 separate machines.

> I understand fully well that I can invest every hour of my life making
> every
> computer on my network a fortress.

If every computer on your network needs to be a fortress then you've got a
personnel problem, not a network security problem. In any case, if you'd
rather invest every hour of your life trying to use a frankenfirewall to
close security holes that should be closed at the OS level, you're not
really making wise use of your time.

> That to me sounds a lot like
> configuring 40 firewalls instead of investing time into configuring one.

>> (a) The method that Microsoft uses they copied from Novell and Novell
> copied
>> it from Banyan and Banyan pretty much copied it from mainframes. It's
> time
>> tested and properly administered works fine for most situations.
>
> I guess time tested explains why on the last four corporate networks of
> really large corporations, when we plugged our notebooksto their internal
> networks to give presentations we were immediately attacked by dozens of
> viruses on many different machines.

Were you able to identify which "viruses" were "attacking you"? What was
the nature of the attack? Could you identify the machines? How did you
know that they were "attacking" you? Did you inform the IT manager of this
and provide copies of your logs?

> No one inside the companies noticed
> and no one cared.

Perhaps there's a reason for that.

> It's easy to compromise a default-configured Windows
> box.

So what? It's easy to compromise a default-configured Cisco firewall as
well. For that matter read Feynman's tale of the safes at Los Alamos. If
the person responsible for security doesn't do his job and change the
configuration to one appropriate to his needs, then any system, including
your frankenfirewall is easily compromised.

> That's why 60% of all home machines are virus infested by some
> estimates.

I thought we were talking about machines in your business, not "typical home
machines".

> You can use all of the Microsoft tricks like security
> profiles, but when you turn up security all the way, now all of the
> default Microsoft services stop working and you end up having to debug
> which resources they need access to.

Yes, you do. So what? You do this once, you deploy network-wide, you're
done until the next problem comes along.

> Why is this time-tested formula better than simply securing access by a
> firewall, which offers a much more robust methodology, which is guaranteed
> to offer many levels of protection even when the machine in question is in
> an insecure configuration.

Because managing 100 firewall ports each with a separate configuration is
not any easier than getting the security on the machines right, if you
don't do it right then it breaks a bunch of services, and since most
malware gets into the system via the diskette drives of machines with lax
security, which your proposal does _nothing_ to address, it's really
tacklin the wrong end of the problem.

>> (b) If a key password is compromised your security is down the toilet
>> regardless. What happens in your proposed system when the password for
>> your frankenfirewall is compromised?
>
> No, you have missed the point completely. If you design access to secure
> machines to only come from certain physically secured hosts, then anyone
> who steals a userid and password won't be able to login to secured hosts
> from non-secured workstations because those non-secured workstations are
> blocked
> through a firewall.

You don't need a frankenfirewall to do that. Windows security on the host
is quite capable of allowing a userid to be used only on specific machines
or classes of machine.

> Having a stolen account when you don't have
> physical access to a machine that can login to the resources you want
> doesn't do you
> any good. Firewalls provide an additional layer of security above and
> beyond what Microsoft's security layer provides. Each has its place, and
> each complements the other if designed well.

You are correct on this point. But putting a separate firewall on each
machine is overkill for almost all situations.

> Obviously if your firewall is compromised you are hosed. That's why you
> physically secure a firewall, and if you are careful you only use separate
> local accounts on the firewall to authenticate to it. Ideally you use
> crypto devices to provide a physical token together with a known password,
> so that a stolen account still cannot compromise that box.

So it sounds like you're willing to put a lot of effort into securing your
frankenfirewall. Why not put that effort into your security policies
instead?

>> Why, do you have specific problems? It sounds to me like you haven't
> really
>> mastered Windows security and you're looking for some kind of shortcut.
>
> I've read every 200 page security manifesto that Microsoft has written.

Reading "200 page security manifestos" doesn't teach you how to use the
system. The O'Reilly book on Active Directory is 752 pages and it's just
getting you started. Have you gone through it yourself and experimented
with it finding how the pieces interact? Have you tried to figure out how
to make it deal with the situations you fear?

> It takes me more time to secure a single Windows box and then debug
> permissions that applications need to work than it does to set up a
> firewall
> for an entire network.

Well, you've done that. If you kept notes you should be able to set
policies systemwide that implement that same configuration on all your
Windows boxen.

> I just want to save time and get results. If
> you think you can get better results by working with Microsoft's software,
> it is a free world after all and I won't try to stop you.

If you are going to work as a security administrator in a Microsoft shop,
you are going to get the best results by mastering the Microsoft security
system before you go off trying to invent a frankenfirewall. Once you've
mastered Microsoft's security, if you _then_ find it inadequate, it's time
to add additional protection. But the things you're complaining about just
aren't that hard to do using Microsoft's security.

Start thinking "system". Ask yourself "if I want to set the security on
this workstation to do this, what security policies do I have to set in
Active Directory". Once you've gotten your mind around doing things using
security policies instead of sitting down at the individual workstation and
twiddling I think your life will get a lot easier. But the security
policies are a complex topic which can't be covered in a few USENET posts.

--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net)