---------- Forwarded message ----------
Date: Sat, 14 Oct 1995 20:45:35 -0400 (EDT)
From: Charles Kaplan <cbk @
starlight .
ingress .
com>
To: firewalls @
greatcircle .
com
Subject: Application level vs Packet filtering
I concurr that combining the two yields both overlap, but also
performance advantages.
By using packet filters on the 'fringes' of the gateway (internally and
externally), you can eliminate (at a high rate) known bad sites. This
extends to the level of blocking employee access from sites such as
playboy.com, or blocking public access workstation xx.xxx.xxx.xx from
accessing the web.
These functions could operate on separate platforms, IE TIS FWTK, and a
router, or on the same platform like with BorderWare or BlackHole.
One nice bennefit of combining the two technologies onto one platform is
that you can tell a user why they are being denied access. IE in
BorderWare and BlackHole if you are not in a filter list to be allowed
web access, the application (since it does look at every packet
dis-assembled) can (and does) present a web page informing you that you
are being denied access. A strict packet filter would just drop the
connection, and leave the user thinking the network was down or something.
-Charles Kaplan (yes, I am a BorderWare reseller)
for more information check out
www.border.com 800-334-8195 (BorderWare)
www.milkyway.com 613-596-5549 (BlackHole)
|
|
