Firewalls and Internet security: repelling the wily hacker
Firewalls and Internet security: repelling the wily hacker
Building Internet Firewalls
A DNS filter and switch for packet-filtering gateways
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
Firmato: A novel firewall management toolkit
ACM Transactions on Computer Systems (TOCS)
Internet Routing and DNS Voodoo in the Enterprise
LISA '99 Proceedings of the 13th USENIX conference on System administration
Hi-index | 0.00 |
Firewalls that forward packets like a bridge, rather than as a router, have many operational benefits. By decoupling routing from filtering, the firewall becomes a pure filter, unburdened by routing table or interface configuration. The result is increased flexibility. This paper explores some of the benefits we have found. Most of the benefits stem from the fact that a bridged firewall requires fewer transit subnets. Sometimes transit subnets are completely eliminated. It can be placed between any two network devices and act like a line filter without needing to change the logical routing of the network. It is easy to put one in series with another firewall for testing. Our examples include replacing an old firewall with a new one, moving a firewall from one router to another with zero downtime, firewalling off an individual office or lab, and others. In many cases topology changes are made without service interruptions. The operational procedures become much more simple. The paper also suggests future directions for research in this area.