Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Sliding/Shifting/Morphing firewalls

Re: Sliding/Shifting/Morphing firewalls

Stephen P. Berry (spbmeshuga.incyte.com)
Thu, 11 Feb 1999 18:20:16 -0800


>One application would be for high-bandwidth site-to-site WAN networking
>across the Internet with a low possibility of D.O.S. vulnerability.

Ds of S. originating from the dreaded Internet, that is. If all the
RAIFset pops are in the same geographic area you're still going to
be pretty vulnerable to the ol' utilities company backhoe D.O.S.

>A RAIDset of Firewalls or RAIFset just might do the trick. RAIF being modeled
>on the technologies of SSHF radio and disk RAIDsets (prior art), and would
>be done over parallel and redundant paths over public, public/private, or
>private links, using IP/IPsec. (I can hear my patent attorney choking
>himself now...). ;)

Presuming the evildoer(s) aren't privy to the constituent addresses of
your RAIFset. Launching a D.O.S. against a half dozen addresses isn't
markedly more difficult than launching a D.O.S. against one. I suppose
you could add the additional abstraction layer of having a RAIBRset
(a RAID set of border routers), each pointing to a different upstream
provider, for every firewall in your RAIFset...but that's just adding
additional -complexity- to the problem of launching a successful D.O.S.,
rather than adding additional -difficulty- (if you understand the

This is of course one of the fundamental problems of using public
channels. No matter how cleverly you manage your little corner of
the net, there are always going to be bits upstream that you don't
control. When you're investigating problems, you will invariably
discover that those bits not under your control are in fact adminstered by
groups of uberlusers who possess diagnostic skills roughly on a par
with a troop of mildly concussed tarsiers. If you're relying on
them for high availability bandwidth or, heavens forfend, security,
you're going to get chumped.

>'Course the RAIFset would have to be coded with a daily key for the random
>but predictable pattern of addresses:ports used to create an aggregated

In terms of bandwidth, the best method would probably be to use a
PRNG with a reasonably long period. Set the seed during the
initial setup of the constituent firewalls in the RAIFsets, and
then exchange a new seed at some pre-defined interval (some wee bit
less than your PRNG's period).

You could also pass the next (and perhaps prior) port(-s) and address(-es)
in the header of each packet, although this would pragmatically
mean turning your RAIFset into a defragmenting router unless you had
some mechanism for insuring a fixed latency across any possible data
paths. Retransmits---presumably only neccessary if you lose both
a data packet and a parity packet---would also be a bitch.

- -Steve

Version: 2.6.2


This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:09 CDT