Firewalls: Re: Eternal war: gateway versus filtering

Firewalls
(March 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Eternal war: gateway versus filtering
From:	Rolf Weber <weber @ iez . com>
Date:	Mon, 11 Mar 1996 18:55:23 +0100 (MEZ)
To:	woods @ ncar . UCAR . EDU (Greg Woods)
Cc:	firewalls @ greatcircle . com (firewalls)
In-reply-to:	<199603111614 . JAA13047 @ ncar . ucar . EDU> from "Greg Woods" at Mar 11, 96 09:14:34 am

> 
> I personally would not trust advice on what I should buy coming from
> someone who is trying to sell me something. Most salesmen are not
> 
you said it, *you* personally wouldn't trust, because you probably
have enough knowledge of this topic.
but what's with people who don't?
they have to trust someone...but i don't want to go on.
this discussion is only sufficiant if there are significant differences
between modern packet filters and application level gateways.

this leads me back to the beginning of this thread...
when i began to learn about firewalls, i mostly heard packet filters
are less secure because:
1. they are hard to configure properly
     assuming it's made by an expert, this shouldn't be a good argument.
2. some protocolls make problems (e.g. FTP, data channel)
     with modern dynamic packet filters, this shouldn't be, too.
OTOH, the advantages of a packet filer should be:
1. flexibility
     it's the question whether this is really an advantage. but the
     vendors offer proxies for the most used services, so this isn't
     important for most sites.
2. performance (?!?!)
     this is, IMHO, the point. nowadays, most sites are connected with
     T1 lines (or ISDN in europe). for such connections, even the
     slowest firewall should be fast enough. but this is the situation
     of today, not of tomorrow.
     i did never made any performance test, it's only my feeling which
     tells me that packet filters should be faster as application level
     gateways.
     i think transparent firewalls like gauntlet do fire off the proxy
     when the (modified) kernel sees a request.
     it would be very interesting to hear from someone who made a test
     with a kernel build-in proxy and compared it with a fired-off
     proxy.
     some of you (incl. myself) made suggestions, but i never saw any
     measured data.

or did i overlook some important point?

[perhaps i should have posted this to firewalls-performance, too, but
this list doesn't want any 'perhaps' or 'probably' and while i'm not
a technical expert, only a interested user, i didn't]

rolf
-- 
-----------------------------------------
Rolf Weber <weber @
 iez .
 com> | All I ask is a chance
IEZ AG   D-64625 Bensheim  | to prove that money
++49-6251-1309-113         | can't make me happy.

References:

Re: Eternal war: gateway versus filtering
From: woods @ ncar . ucar . edu (Greg Woods)

Indexed By Date	Previous:	books on security policies From: peterg @ mccaw-stg . com (Peter Gregory)
Indexed By Date	Next:	Re: /etc/services entries From: sar @ plc . com
Indexed By Thread	Previous:	Re: Eternal war: gateway versus filtering From: woods @ ncar . ucar . edu (Greg Woods)
Indexed By Thread	Next:	Re: Eternal war: gateway versus filtering From: woods @ ncar . ucar . edu (Greg Woods)