Firewalls: Re: Different ways in which Firewalls work, which is more secure ?

Firewalls
(June 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Different ways in which Firewalls work, which is more secure ?
From:	Rick Smith <smith @ sctc . com>
Date:	Thu, 22 Jun 1995 17:46:49 -0500
To:	firewalls @ greatcircle . com
Cc:	smith @ sctc . com

mdr @
 vodka .
 sse .
 att .
 com writes:

>I contend that a firewall passing
>or dropping packets at the IP layer has higher throughput because it
>has less work to do for each packet, and it can do all of the
>processing for the packet at once.  An application layer firewall
>may wind up with a separate process for each proxy connection.

I'm interested in what people think about all of this, long term.
The way I see it, you _can't_ do strong access control at the
packet level.

Strong access control will always depend on checking more information,
keeping more connection state, and at least some crypto checks. That's
not going to happen for free. If you try to redefine packets to contain
more security info, they stop being packets in the traditional sense
and start becoming these complicated vessels of arcane knowledge.
And it no longer fits within a single packet.

BTW, Sidewinder uses one process to handle multiple proxied connections.

Rick.
smith @
 sctc .
 com        roseville, minnesota

Indexed By Date	Previous:	Re: Multiple Mail Messages From: ian @ aztec . co . za (Ian Cooper)
Indexed By Date	Next:	Re[2]: Cultural responsibility (was sensitive subjects) From: Mark_W_Loveless @ smtp . bnr . com
Indexed By Thread	Previous:	Re: Different ways in which Firewalls work, which is more secure ? From: mulligan @ future . incog . com
Indexed By Thread	Next:	Re: Different ways in which Firewalls work, which is more secure ? From: mmk @ centrum . is (Magnus Mar Kristinsson)