On Thu, 27 Jul 2000 [EMAIL PROTECTED] wrote:
> A general question that could lead to interesting things....
>
> If anyone here were able to start, from scratch, their own firewall,
> specifically designed on a Linux platform, what would you select as the
> flavour, taking into consideration the following requirements:
Choosing the OS before looking at the application is generally the wrong
way to go about good systems design practice. Firewalling is too
operationally dependent to do exceedingly well without going through risk
profiles, pain thresholds, security policies, etc. Also, there are lots
of types of firewalls, picking the appropriate type requires analysis that
wild-guessing an OS is a poor route to.
> 1) Security, something stripped-down and tight
Anything can be stripped down (and everything should be.) I think a more
interesting approach to the host system is real security enforcement in
the kernel (esp. MAC and compartments.) For Linux, the best
implementation of that is RSBAC.
> 2) Performance, as that is always an issue
Not really- for me security has always been the issue. You can scaled
hardware horizontally and/or vertically for performance.
> 3) Popularity, a flavor everyone likes
Choosing a key infrastructure component based on popularity isn't a metric
I'd use.
> 4) Future scope, something everyone will like for a long time to come
Future scope should be about the flexibility of the toolset, that depends
again on the potential future requirements.
> 5) Flexibility and Ease, something easy to use and without limitations
Those tend to be mutually exclusive in my experience if you're not
implementing trivial mechanisms.
> So if anyone here, had the power to do it, and do it right, what would be
> YOUR flavour?
I'd probably spend more time agonizing over authentication mechanisms than
distributions.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
