Mark Horn wrote:
> Suppose that you have a user who goes on travel and wants to telnet in to his
> machine FOO from remote host BAR. To allow this, the packet filtering
> firewall must allow in port 23 from BAR to FOO. Now, there are two ways to
> get around this type of authentication:
> a) IP address spoofing - i.e. pretend that you are host BAR
> b) Get access to host BAR, and telnet in
It seems to me that if you accept inbound connections, it doesn't
matter what type of firewall you have, only what type of authentication
is performed by the services you let in. If you assume that the
external host(s) are compromised (which seems reasonable :), then
neither where the connection comes from nor who the connection claims
to be representing can be trusted. If the connection knows the magic
words to open the gate, it gets in. A proxy might restrict the amount
of havoc able to be wreaked once inside, but maybe not.
I'm not an expert on either technology, but I agree with Patrick that
the discussion so far has involved more religion than fact. It would be
very useful to understand the strengths and weaknesses of filters vs.
proxies so that the appropriate technology can be used in the
appropriate places. I think that filters are fairly self-explanatory.
Would any of the proponents of proxies care to put forth an example of
a situation in which proxies are more effective?
Disclaimer: I don't speak for Sun; Sun doesn't speak for me