Hello: I see a potential security problem in that the system doing the actual work here (SQUID?) doesn't' seem to have anything in front of it to limit *overall* bandwidth to the OS. This makes your system particularly vulnerable to floods of small packets, as they will consume the CPU resources.
Also, I don't see any mention of packet checking prior to subnet analysis. I don't know if that's assumed, but is your system also vulnerable to fragments? Strange offsets? Just my thoughts.... Jeremiah -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Usman Aleem Sent: Tuesday, November 27, 2001 9:10 AM To: [EMAIL PROTECTED] Subject: need advise Hi, I am undergrad student researching on my senior project idea. Basically I have a different idea implementing firewall (have not seen anyone done this yet). Essentially, I want to develop a software based bandwidth allocator, something similar to multiple queues in FRED gateways. There will be queues for each subnet in an organization. This way I can separate the type of traffic I have in my network. The servers can be put on a separate queue and (say) internet users can be put on another (the number of queues will be proportional to the number of subnets or security categories). With this I can provide different subnets with different bandwidths. Once I have achieved this I want to provide each queue different security levels depending on their traffic. I am thinking of editing the relevant parts of Squid proxy for this, this will help me in providing all the caching capabilities to internet users and the servers' traffic will just be allowed to go through. As the idea is still developing I just wanted someone to critique it and pose the problems or improvements. The bandwidth allocation part is fairly trivial but I really want to know is that if it would be a good idea to apply security in this fashion. I am also attaching a diagram which gives a very basic idea of my design. Regards, usman. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
