[BUGA] layer2 hardware firewall device [recommendations please]

[Wilkinson, Alex]

    0n Wed, Jul 13, 2005 at 04:39:42PM +0930, Daniel O'Connor wrote: 

    >A layer 2 firewall doesn't make [much] sense.
    >Layer 2 is ethernet - what is it going to check for? Certain ether
    >types? How unuseful :)

ok, I'll clarify what I am talking about. The type of firewall that I
am talking about is known as a "bridging firewall" or a "transparent
firewall" i.e a firewall that merely moves frames after inspecting
them between interfaces.


     "Instead of the device handling packets at layer 3 (network), what if
      it merely inspected frames and moved them to the proper interface?
      Sound familiar? This type of device would continue to filter packets,
      but operate at layer 2 (data link), like a bridge. Such a device has
      come to be known by several names: a transparent, in-line, shadow,
      stealth or bridging firewall."

      [http://www.securityfocus.com/infocus/1737]


    >I think you really need a layer 3 router/firewall box, although even
    >then I don't understand why you need it - just install a firewall on your
    >laptop, or on your DSL router.

Both of your aforementioned solutions would not get accredited by DSA
(Defence Security Authority). The *only* solution that will get
accredited by DSA is a *hardware firewall*. And at any time whatsoever we 
cannot have a DoD device (aka restricted device) connected to a
non-restricted network (e.g ISP). Therefore in light of this we *have*
to have a device (filter) that will sit between a DoD device and an
un-restricted network. If we use the firewall built into the
DSL-router then we have just connected our restricted device to an
unrestricted network.

Unfortunately it is all about accreditation from DSA.

Such a device we had in mind is the NetScreen-5 Series
[http://www.juniper.net/products/integrated/], but this product needs
AC power. We want a device that is powered off a USB or firewire bus.


 - aW