NDC Logical Firewall
Advantages:
-
No re-wiring necessary
-
Opt-in (easy to add/remove clients)
-
Firewalls (plural) can live anywhere on the subnet
-
Can have different administrators or policies, etc.
-
Does not prevent NOC from managing network infrastructure
-
Allows NOC to try to disconnect only misbehaving clients (not entire firewall)
-
Software is available for free
-
Requires only a PC with floppy, NIC and CDROM (no hard drive,
keyboard, mouse, monitor)
-
Use your favorite linux or use "Gibraltar" (boots & runs
from CDROM)
-
Web-based firewall rule-generator supports hand-crafting
rules too
-
Stateful firewall rules (more expressive and simpler to write)
-
Remotely and securely administrable (via SSH login)
-
Supports IPSEC tunneling between subnets
Disadvantages:
-
Potentially more vulnerable from hacked un-firewalled box
on subnet
-
A hacked box might be able to sniff traffic from the 10.x.y.z
net
-
A skillful intruder might be able to configure a 10.x.y.z
virtual interface
-
But this added threat is only from hosts on your own subnet
-
You're always more vulnerable to arp-spoofing, IP spoofing
and hijacking attacks from your subnet anyway.
-
Traffic through firewall (off subnet) travels your network
twice
-
unless you use a second NIC and rewire (which _is_ supported)
-
with a full-duplex network connection this may not reduce throughput significantly
-
Clients must be re-configured with a new IP address
-
A few protocols don't NAT well (or at all)
-
Public & private IP addrs on one wire makes DHCP difficult
PREV NEXT