| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030928192137.GA4552@deneb.enyo.de> From: fw at deneb.enyo.de (Florian Weimer) Subject: CyberInsecurity: The cost of Monopoly On Sun, Sep 28, 2003 at 08:04:58PM +0200, Michal Zalewski wrote: > I'd argue... many vendors (Okena aka Cisco, BlackICE aka ISS, etc) > provide integrated corporation-wide mechanisms for enforcing group > firewalling, access and logging/IDS policies on workstations or groups of > workstations (and, why not, also servers). I've looked at one or two such products, and if you leave some technological issues aside (I don't like it when both the original vendor and an ISV tamper with the TCP/IP stack, this could have unwanted consequences), they were rather nice, except for the prohibitive licensing model and the limited applicable in heterogenous networks (i.e. more than just Windows 2000 and XP, and maybe Red Hat). It seems to me that this technology is not universally suited for pampering over administrative problems. For recovery purposes, I'd rather have control over the network traffic after it has left the host, so that it's easy to trace it back to the source and null route it. > There are some ridiculously expensive "firewall switches" that are > IP-aware and enable per-port separation and firewalling... You can do this with any 802.1q-capable switch and a PC as a router. Peak performance sucks, but that's typically not a problem.
Powered by blists - more mailing lists