Firewalls: Re: Firewall1 Comparison -Reply

Firewalls
(October 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Firewall1 Comparison -Reply
From:	frankw @ in . net (Frank Willoughby)
Date:	Fri, 13 Oct 95 23:34:41 -0400
To:	Doug Kaye <dkaye @ rds . com>
Cc:	firewalls @ GreatCircle . com

>I'm seeing a lot of discussion on pack filters vs. application gateways.
Does it make
>sense to implement both?  

Yes
>Is it too expensive or overkill?  

Neither

If you implement both, where
>does the filter go -- on the public side of the application gateway?  

Explanation follows

Is it possible to run both
>on the same hardware?
>
Yes

A Packet Filter can be as cheap as a little over a grand.  Many are 
routers (Cisco is a good example of a high-quality router).  

An Application Gateway filters packets and applications (simply stated
for brevity).

Having managed a Packet Filter (not a router) *and* an Application Gateway, 
I guess I can say I speak from experience.  FWIW, the Packet Filter was
a DSG (Digital Security Gateway).  

Packet filters are good cheap fixes for low-risk security environments.
Application Gateways are ideal for high-risk environments.  If you are
securing two internal LAN segments, the packet filter may be the best 
approach for you.  I would consider the Internet to be a very high risk 
environment.

There are many good packet filters out there.  However, I'm a firm believer 
in using the right tool for the right job.  IMO, the only firewall I would 
use for protecting valuable data from the Internet is an Application Gateway 
which uses heavy authentication and very strong encryption.  


The above assumes of course that you are trying to protect valuable data
or your corporation.  


RE: Configuration question
Regarding the configuration question, I personally would have the router
on the Internet side be set up so that it only allows services which the
firewall will pass judgement on and block everything else.  This has the 
advantages of redundant security in the event that someone makes a mistake 
in the rules of the firewall or the router - and - it reduces the load on 
the firewall (increasing throughput).  

Of course, the router on the inside could also include these rules for even
more redundant security.

Rathole avoidance suggestion
Also, rather than go down the road of Packet Filter vs. Application Gateway,
please feel free to send me mail & we can discuss this subject off-line.  If 
you want to research the subject further, I will be happy to supply you with
references.

Best Regards,


Frank


PS - FWIW, I agree completely with Fred from TIS.




>============================================================
>Doug Kaye <dkaye @
 rds .
 com>  Rational Data Systems, Novato, CA
>Tel:415-382-8400     FAX:415-382-8441     http://www.rds.com
>
>
>
>
>

Indexed By Date	Previous:	Re: Firewall Questionnaire From: frankw @ in . net (Frank Willoughby)
Indexed By Date	Next:	Re: First and last subnet ??? From: Mark Bell <mbell @ falcon . ic . net>
Indexed By Thread	Previous:	Re: Firewall1 Comparison -Reply From: fepotts @ fepco . com (Fred E Potts)
Indexed By Thread	Next:	Re: Firewall1 Comparison -Reply From: Bill Husler <bhusler @ community . net>