| Author |
Message |
Will
Guest
|
 Posted:
Tue Apr 19, 2005 8:20 am Post subject:
Ethernet Switch With a PC at Core |
|
|
Has anyone developed an ethernet switch that integrates an Intel PC running
a BSD variant or Windows 2000? This would be a great platform for running
Checkpoint Firewall-1 in an environment where you wanted to put every PC
behind its own firewall-controlled port. I realize that Cisco's 6500 has a
firewall module, but a 6500 is a bit more expensive than I want to go.
Alternately, is there a PCI ethernet card that attaches to an external I/O
card with 10 or more 10/100 ports per card?
--
Will |
|
| Back to top |
|
 |
Patrick Schaaf
Guest
|
| Posted:
Tue Apr 19, 2005 8:20 am Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
"Will" <DELETE_westes@earthbroadcast.com> writes:
| Quote: | Alternately, is there a PCI ethernet card that attaches to an external I/O
card with 10 or more 10/100 ports per card?
|
Just get a 1000mbit Port, and use VLAN support to run 10 or more separate
networks on it. We are quite happy with such a setup, using Linux' iptables
as the firewall code.
best regards
Patrick |
|
| Back to top |
|
|
Arnold Nipper
Guest
|
| Posted:
Tue Apr 19, 2005 8:20 am Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
On 19.04.2005 07:20 Patrick Schaaf wrote
| Quote: | "Will" <DELETE_westes@earthbroadcast.com> writes:
Alternately, is there a PCI ethernet card that attaches to an external I/O
card with 10 or more 10/100 ports per card?
Just get a 1000mbit Port, and use VLAN support to run 10 or more separate
networks on it. We are quite happy with such a setup, using Linux' iptables
as the firewall code.
|
Your security guys are also happy with this setup? If the switch is
compromised so is all of your network connected to it.
Arnold
--
Arnold Nipper, AN45 |
|
| Back to top |
|
|
Will
Guest
|
| Posted:
Tue Apr 19, 2005 8:20 am Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
I would never use it for an external firewall that is directly connected to
the Internet, but for an internal firewall that is used to restrict traffic
on the intranet it might suffice. As long you have closed VLANs and put
the management port behind a dedicated firewall port, it may be reasonably
secure.
What I object to in this design is the need to define so many closed VLANs.
And on some switches you might exhaust the number of VLANs that are
supported.
--
Will
"Arnold Nipper" <arnold-200504@nipper.de> wrote in message
news:d4275g$fb2$1@nntp.ilk.net...
| Quote: | On 19.04.2005 07:20 Patrick Schaaf wrote
"Will" <DELETE_westes@earthbroadcast.com> writes:
Alternately, is there a PCI ethernet card that attaches to an external
I/O
card with 10 or more 10/100 ports per card?
Just get a 1000mbit Port, and use VLAN support to run 10 or more
separate
networks on it. We are quite happy with such a setup, using Linux'
iptables
as the firewall code.
Your security guys are also happy with this setup? If the switch is
compromised so is all of your network connected to it.
Arnold
--
Arnold Nipper, AN45 |
|
|
| Back to top |
|
|
Tomi Holger Engdahl
Guest
|
| Posted:
Tue Apr 19, 2005 8:20 am Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
"Will" <DELETE_westes@earthbroadcast.com> writes:
| Quote: | Has anyone developed an ethernet switch that integrates an Intel PC running
a BSD variant or Windows 2000?
|
Nokia has/had a router product that was just like this.
It was basically Intel PC hardware in rack case,
one ot two multi port Ethernet card (4 poirts per card or so)
and an operating system based on BSD.
| Quote: | This would be a great platform for running
Checkpoint Firewall-1 in an environment where you wanted to put every PC
behind its own firewall-controlled port.
|
Nokia sold their product with Checkpoint firewall as security appliance.
http://www.cisilion.com/security/checkpoint.htm
| Quote: | I realize that Cisco's 6500 has a
firewall module, but a 6500 is a bit more expensive than I want to go.
Alternately, is there a PCI ethernet card that attaches to an external I/O
card with 10 or more 10/100 ports per card?
|
I don't know any such product.
--
Tomi Engdahl (http://www.iki.fi/then/)
Take a look at my electronics web links and documents at
http://www.epanorama.net/ |
|
| Back to top |
|
|
stephen
Guest
|
| Posted:
Tue Apr 19, 2005 8:20 am Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
"Tomi Holger Engdahl" <then@solarflare.cs.hut.fi> wrote in message
news:laj1x97nryq.fsf@solarflare.cs.hut.fi...
| Quote: | "Will" <DELETE_westes@earthbroadcast.com> writes:
Has anyone developed an ethernet switch that integrates an Intel PC
running
a BSD variant or Windows 2000?
Nokia has/had a router product that was just like this.
It was basically Intel PC hardware in rack case,
one ot two multi port Ethernet card (4 poirts per card or so)
and an operating system based on BSD.
|
they still do - we use a lot of these in our hosted web sites at work
http://www.nokia.com/nokia/0,,43122,00.html
they also support gigabit ports - but i dont think the boxes can run them at
wire speed.
| Quote: |
This would be a great platform for running
Checkpoint Firewall-1 in an environment where you wanted to put every PC
behind its own firewall-controlled port.
Nokia sold their product with Checkpoint firewall as security appliance.
http://www.cisilion.com/security/checkpoint.htm
|
just remember that checkpoint isnt cheap - a multiport config for your type
of application may well need the most expensive unlimited user count licence
| Quote: |
I realize that Cisco's 6500 has a
firewall module, but a 6500 is a bit more expensive than I want to go.
Alternately, is there a PCI ethernet card that attaches to an external
I/O
card with 10 or more 10/100 ports per card?
I don't know any such product.
--
Tomi Engdahl (http://www.iki.fi/then/)
Take a look at my electronics web links and documents at
http://www.epanorama.net/
-- |
Regards
Stephen Hope - return address needs fewer xxs |
|
| Back to top |
|
|
Will
Guest
|
| Posted:
Wed Apr 20, 2005 7:42 am Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
Right, I know about Nokia. But I want something with 40+ ports on it and
true switch-like performance that can be used on an intranet as the backbone
of the network.
Nokia is a PC with a few four-port cards that runs a BSD variant and
Checkpoint in the kernel. I want the same concept with a true switch
instead of a PCI bus.
--
Will
"Tomi Holger Engdahl" <then@solarflare.cs.hut.fi> wrote in message
news:laj1x97nryq.fsf@solarflare.cs.hut.fi...
| Quote: | Has anyone developed an ethernet switch that integrates an Intel PC
running
a BSD variant or Windows 2000?
Nokia has/had a router product that was just like this.
It was basically Intel PC hardware in rack case,
one ot two multi port Ethernet card (4 poirts per card or so)
and an operating system based on BSD. |
|
|
| Back to top |
|
|
Patrick Schaaf
Guest
|
| Posted:
Wed Apr 20, 2005 8:20 am Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
Arnold Nipper <arnold-200504@nipper.de> writes:
| Quote: | On 19.04.2005 07:20 Patrick Schaaf wrote
"Will" <DELETE_westes@earthbroadcast.com> writes:
Alternately, is there a PCI ethernet card that attaches to an external I/O
card with 10 or more 10/100 ports per card?
Just get a 1000mbit Port, and use VLAN support to run 10 or more separate
networks on it. We are quite happy with such a setup, using Linux' iptables
as the firewall code.
Your security guys are also happy with this setup?
|
The security guys being one and the same as the network guys: yes.
You must put trust somewhere.
| Quote: | If the switch is compromised so is all of your network connected to it.
|
Everybody who cares can bring their own routers and switches and firewalls.
We happily provide the rack space and uplink ports.
On the other hand, not _needing_ to bring new routers and switches,
has put a lot of projects behind firewalls, which would otherwise
run less protected in some outside LAN, or at least in some internal
LAN shared with other stuff. Our way projects are almost all nicely
seperated in their own VLANs, easily put behind this or that firewall
or loadbalancer, just by reconfiguration. This allows us operational
flexibility to do the right thing without much physical moving and
reconnecting thought.
Of course, deciding about such things always results in compromise.
I can justify some of the decisions easily by also pointing at who
is running things. With stronger separation of responsibilities the
dividing lines will change.
best regards
Patrick |
|
| Back to top |
|
|
stephen
Guest
|
| Posted:
Wed Apr 20, 2005 8:20 am Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:vOadnedGzrkSXPjfRVn-1w@giganews.com...
| Quote: | Right, I know about Nokia. But I want something with 40+ ports on it
and
true switch-like performance that can be used on an intranet as the
backbone
of the network.
this is going to cost a fair amount of money - several reasons, but |
expensive software and specialised hardware with relatively low numbers of
devices being made all push up the price.
| Quote: | Nokia is a PC with a few four-port cards that runs a BSD variant and
Checkpoint in the kernel. I want the same concept with a true switch
instead of a PCI bus.
|
try the Alteon switched firewall (Nortel Networks) - same basic idea of a
packaged PC running checkpoint, but a specialised hardware switch can be
used to offload the traffic thru the firewall to hardware.
support 240 or so logical interface, 8 Gig ports, VLANs, virtual firewalls,
scaling up by adding more accelerators..
Netscreen make some dedicated boxes for a similar scale, or we go back to a
PIX firewall blade.
only other potential path is to use something like traffic filters rather
than a purpose made firewall - but even there you are going to want a high
end box to get hardware acceleration to get to the kind of performance you
are asking for - maybe a Cisco Catalyst 6509 / sup 720 / firewall IOS
combination, or maybe high end hardware from Foundry / Extreme?
| Quote: |
--
Will
"Tomi Holger Engdahl" <then@solarflare.cs.hut.fi> wrote in message
news:laj1x97nryq.fsf@solarflare.cs.hut.fi...
Has anyone developed an ethernet switch that integrates an Intel PC
running
a BSD variant or Windows 2000?
Nokia has/had a router product that was just like this.
It was basically Intel PC hardware in rack case,
one ot two multi port Ethernet card (4 poirts per card or so)
and an operating system based on BSD.
-- |
Regards
Stephen Hope - return address needs fewer xxs |
|
| Back to top |
|
|
Guest
|
| Posted:
Wed Apr 20, 2005 4:04 pm Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
"Will" <DELETE_westes@earthbroadcast.com> wrote:
| Quote: | But I want something with 40+ ports on it and
true switch-like performance
|
Why not a separate 48-port hardware-based switch for performance and
an external PC-based firewall? |
|
| Back to top |
|
|
Will
Guest
|
| Posted:
Thu Apr 21, 2005 7:40 am Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
The beauty of using a firewall port for each machine on an Intranet is that
you can:
1) ...easily identify the source of a virus, as when you see a specific
machine originating huge amounts of SMTP traffic in the firewall log.
Likewise, you can easily spot some program or individual spoofing a
different machine's source IP and forbid such machines from getting out to
the intranet at all.
2) ...easily control the kinds of traffic allowed between machines on your
Intranet. For example, Programmers' computers might be able to browse
files on a test database server, but probably your bookkeepers' computers
cannot do that. Microsoft has its own approach to controlling access
using domain authenticated users. That doesn't help much when a key user
password is compromised, and frankly on many intranet machines breaking in
to the default security configuration for most Microsoft OS is not hard. A
firewall can facilitate setting much more ironclad security policies. For
example, in my example above the bookeepers' *computers* won't be able to
ping or test any port on most programmer related computers, and it won't
matter who logs into that machine. I'm fairly sick of relying on
Microsoft's "security", and I'm ready to call in the heavy weapons.
I'm sure that setting such rigid security through a hardware based firewall
on an intranet would be cumbersome for a huge company. But for a company
with less than 100 employees I think it would not be hard to administer the
software security policies on the firewall, if you made intelligent use of
Groups in your rules. And you would get payback over and over each time
you have a security breach on a specific machine.
--
Will
<William P. N. Smith> wrote in message
news:0odc6157kc8km8dj7q0r48f3et3q57amel@4ax.com...
| Quote: | "Will" <DELETE_westes@earthbroadcast.com> wrote:
But I want something with 40+ ports on it and
true switch-like performance
Why not a separate 48-port hardware-based switch for performance and
an external PC-based firewall?
|
|
|
| Back to top |
|
|
J. Clarke
Guest
|
| Posted:
Thu Apr 21, 2005 8:00 am Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
Will wrote:
| Quote: | The beauty of using a firewall port for each machine on an Intranet is
that you can:
1) ...easily identify the source of a virus, as when you see a specific
machine originating huge amounts of SMTP traffic in the firewall log.
|
Uh, you should be able to detect this using any network analyzer including
the one that comes with Windows Server.
| Quote: | Likewise, you can easily spot some program or individual spoofing a
different machine's source IP and forbid such machines from getting out to
the intranet at all.
|
You don't need individual firewall ports to do this. All that you have to
do is block packets which come from machines that do not have a specific
matching of MAC and IP addresses. Has this been a problem on your system?
| Quote: |
2) ...easily control the kinds of traffic allowed between machines on your
Intranet. For example, Programmers' computers might be able to browse
files on a test database server, but probably your bookkeepers' computers
cannot do that. Microsoft has its own approach to controlling access
using domain authenticated users. That doesn't help much when a key user
password is compromised, and frankly on many intranet machines breaking in
to the default security configuration for most Microsoft OS is not hard.
|
(a) The method that Microsoft uses they copied from Novell and Novell copied
it from Banyan and Banyan pretty much copied it from mainframes. It's time
tested and properly administered works fine for most situations.
(b) If a key password is compromised your security is down the toilet
regardless. What happens in your proposed system when the password for
your frankenfirewall is compromised?
| Quote: | A
firewall can facilitate setting much more ironclad security policies.
|
How "ironclad" do you need to be?
| Quote: | For example, in my example above the bookeepers' *computers* won't be able
to ping or test any port on most programmer related computers,
|
Have you had a problem with bookkeepers getting into the programmers'
machines? In any case this doesn't require each machine to have its own
firewalled port.
| Quote: | and it
won't
matter who logs into that machine. I'm fairly sick of relying on
Microsoft's "security", and I'm ready to call in the heavy weapons.
|
Why, do you have specific problems? It sounds to me like you haven't really
mastered Windows security and you're looking for some kind of shortcut.
| Quote: | I'm sure that setting such rigid security through a hardware based
firewall
on an intranet would be cumbersome for a huge company.
|
It would be cumbersome for any sized company. What leads you to believe
that a company with ten thousand employees would have less need for such a
system than does yours?
| Quote: | But for a company
with less than 100 employees I think it would not be hard to administer
the software security policies on the firewall, if you made intelligent
use of
Groups in your rules.
|
You might be surprised, considering that some of what you want to do
requires a different rule on each port.
| Quote: | And you would get payback over and over each time
you have a security breach on a specific machine.
|
It looks like you're making much more work for yourself than you need to.
Learn to use the tools you have properly. For example you talk about the
default security configuration on Windows servers. If you're in charge of
this network then why are you using the default configuration? And if you
don't have the authority to change the security configuration on the
servers I really want to be a fly on the wall the day that management finds
out that you've circumvented that stricture by micromanaging network
traffic.
--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net) |
|
| Back to top |
|
|
Will
Guest
|
| Posted:
Thu Apr 21, 2005 8:20 am Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
I see that Cisco and several other switch vendors have features to just copy
data to a sniffer port. In our case we have many smaller switches from
different vendors rather than one large one, so I'm not sure how easy it
would be for us to have all network traffic on a single port. We would
also need to make sure that the size of the pipe on that one port was
sufficient to hold all of the network's traffic at any peak level, and that
might actually exceed a gigabit occasionally in our case.
It still seems like a hassle to deal with a layer 2 / layer 3 sniffer dump
compared to a firewall log when dealing with most security issues. I
acknowledge that the lower level of detail from a sniffer is sometimes what
you need. But I would rather pull out the special tool when I need it
rather than have the sniffer act in the role of a security monitor 24 hours
a day.
I'm comfortable with the way firewalls work, and I prefer to deal with a
firewall log's semantics as a first level response to a security issue. I
also want to be free to design a security policy that is imposed on the
network regardless of the configuration of the machines on that network. I
don't want a security policy that is a side-effect from how well I or others
remembered to configure individual machines on the network.
--
Will
"Will" <DELETE_westes@earthbroadcast.com> wrote in message
news:r7WdnUmlJJ39pfrfRVn-iQ@giganews.com...
| Quote: | If you are using a switch, your sniffer won't see all of the traffic. If
you configure your switch to duplicate all traffic to the sniffer port,
now
you create collisions that affect performance. The whole point of using a
switch was to optimize traffic flow and avoid collisions. |
|
|
| Back to top |
|
|
Will
Guest
|
| Posted:
Thu Apr 21, 2005 8:20 am Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
"J. Clarke" <jclarke.usenet@snet.net.invalid> wrote in message
news:d479eh02tfr@news1.newsguy.com...
| Quote: | Uh, you should be able to detect this using any network analyzer including
the one that comes with Windows Server.
|
If you are using a switch, your sniffer won't see all of the traffic. If
you configure your switch to duplicate all traffic to the sniffer port, now
you create collisions that affect performance. The whole point of using a
switch was to optimize traffic flow and avoid collisions.
Do you want to leave your sniffer running 24 hours a day? And what if the
machine in question is spoofing its IP? Now you need to go look at MAC
addresses and look at your internal documentation about what host that might
be. And what happens if it is an unknown Mac address? Now you have to go
tear apart your facility looking for the device, which could be almost
anywhere.
If you have each host on its own dedicated firewall port, now any rogue
device can be immediately located to a specific geography by virtue of the
interface on which it enters the firewall.
| Quote: | You don't need individual firewall ports to do this. All that you have to
do is block packets which come from machines that do not have a specific
matching of MAC and IP addresses. Has this been a problem on your system?
|
So now you want me to in effect configure firewall-like rules on every
target host? Why is it better to configure 40 hosts instead of configuring
one firewall? You sound like you just like the status quo a whole lot more
than you like saving your time.
I understand fully well that I can invest every hour of my life making every
computer on my network a fortress. That to me sounds a lot like
configuring 40 firewalls instead of investing time into configuring one.
| Quote: | (a) The method that Microsoft uses they copied from Novell and Novell
copied
it from Banyan and Banyan pretty much copied it from mainframes. It's
time
tested and properly administered works fine for most situations.
|
I guess time tested explains why on the last four corporate networks of
really large corporations, when we plugged our notebooksto their internal
networks to give presentations we were immediately attacked by dozens of
viruses on many different machines. No one inside the companies noticed
and no one cared. It's easy to compromise a default-configured Windows
box. That's why 60% of all home machines are virus infested by some
estimates. You can use all of the Microsoft tricks like security profiles,
but when you turn up security all the way, now all of the default Microsoft
services stop working and you end up having to debug which resources they
need access to.
Why is this time-tested formula better than simply securing access by a
firewall, which offers a much more robust methodology, which is guaranteed
to offer many levels of protection even when the machine in question is in
an insecure configuration.
| Quote: | (b) If a key password is compromised your security is down the toilet
regardless. What happens in your proposed system when the password for
your frankenfirewall is compromised?
|
No, you have missed the point completely. If you design access to secure
machines to only come from certain physically secured hosts, then anyone who
steals a userid and password won't be able to login to secured hosts from
non-secured workstations because those non-secured workstations are blocked
through a firewall. Having a stolen account when you don't have physical
access to a machine that can login to the resources you want doesn't do you
any good. Firewalls provide an additional layer of security above and
beyond what Microsoft's security layer provides. Each has its place, and
each complements the other if designed well.
Obviously if your firewall is compromised you are hosed. That's why you
physically secure a firewall, and if you are careful you only use separate
local accounts on the firewall to authenticate to it. Ideally you use
crypto devices to provide a physical token together with a known password,
so that a stolen account still cannot compromise that box.
| Quote: | Why, do you have specific problems? It sounds to me like you haven't
really
mastered Windows security and you're looking for some kind of shortcut.
|
I've read every 200 page security manifesto that Microsoft has written.
It takes me more time to secure a single Windows box and then debug
permissions that applications need to work than it does to set up a firewall
for an entire network. I just want to save time and get results. If you
think you can get better results by working with Microsoft's software, it is
a free world after all and I won't try to stop you.
--
Will |
|
| Back to top |
|
|
J. Clarke
Guest
|
| Posted:
Thu Apr 21, 2005 4:20 pm Post subject:
Re: Ethernet Switch With a PC at Core |
|
|
Will wrote:
| Quote: | I see that Cisco and several other switch vendors have features to just
copy
data to a sniffer port. In our case we have many smaller switches from
different vendors rather than one large one, so I'm not sure how easy it
would be for us to have all network traffic on a single port. We would
also need to make sure that the size of the pipe on that one port was
sufficient to hold all of the network's traffic at any peak level, and
that might actually exceed a gigabit occasionally in our case.
It still seems like a hassle to deal with a layer 2 / layer 3 sniffer dump
compared to a firewall log when dealing with most security issues. I
acknowledge that the lower level of detail from a sniffer is sometimes
what
you need. But I would rather pull out the special tool when I need it
rather than have the sniffer act in the role of a security monitor 24
hours a day.
I'm comfortable with the way firewalls work, and I prefer to deal with a
firewall log's semantics as a first level response to a security issue.
I also want to be free to design a security policy that is imposed on the
network regardless of the configuration of the machines on that network.
I don't want a security policy that is a side-effect from how well I or
others remembered to configure individual machines on the network.
|
If the security policy is a matter of "how well I or others remembered to
configure individual machines on the network" then (a) you're not using
system policies properly and (b) you've got a configuration management
problem that you need to address. You should have a standard configuration
for all machines, with variants for specific circumstances and a procedure
for implementing that configuration. There should be no "remembering" at
all involved.
--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net) |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in