Perfectly... On Mon, 27 Sep 1999, Howard C. Berkowitz wrote:
Date: Mon, 27 Sep 1999 08:27:27 -0400 From: Howard C. Berkowitz <hcb@clark.net> To: nanog@merit.edu Subject: "firewalls" at high speed -- was Re: FW: your mail
...
All good points. Something else to consider: with increasing cryptographic security requirements, the "firewall" (ambiguous term as it is, but let's think of it as a stateful packet screen -- the major approach at high speed) is not the only device between you and the outside. It's worth thinking of:
Bastion hosts -- not trusted with crypto keys Security gateways -- trusted to do encryption IPsec gateways SSL/TLS proxies Conduits with access lists -- for host-to-host encryption, where the firewall wouldn't add value
There is also the very murky area where logging and intrusion detection mix, and whether they can operate at these speeds/
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 230-41-41, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)