NDC Logical Firewall

Advantages:

• No re-wiring necessary
• Opt-in (easy to add/remove clients)
• Firewalls (plural) can live anywhere on the subnet
• Can have different administrators or policies, etc.
• Does not prevent NOC from managing network infrastructure
• Allows NOC to try to disconnect only misbehaving clients (not entire firewall)
• Software is available for free
• Requires only a PC with floppy, NIC and CDROM (no hard drive, keyboard, mouse, monitor)
• Use your favorite linux or use "Gibraltar" (boots & runs from CDROM)
• Web-based firewall rule-generator supports hand-crafting rules too
• Stateful firewall rules (more expressive and simpler to write)
• Remotely and securely administrable (via SSH login)
• Supports IPSEC tunneling between subnets

Disadvantages:

• Potentially more vulnerable from hacked un-firewalled box on subnet
• A hacked box might be able to sniff traffic from the 10.x.y.z net
• A skillful intruder might be able to configure a 10.x.y.z virtual interface
• But this added threat is only from hosts on your own subnet
• You're always more vulnerable to arp-spoofing, IP spoofing and hijacking attacks from your subnet anyway.
• Traffic through firewall (off subnet) travels your network twice
• unless you use a second NIC and rewire (which _is_ supported)
• with a full-duplex network connection this may not reduce throughput significantly
• Clients must be re-configured with a new IP address
• A few protocols don't NAT well (or at all)
• Public & private IP addrs on one wire makes DHCP difficult