Firewalls: Re: Eternal war: gateway versus filtering

Firewalls
(March 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Eternal war: gateway versus filtering
From:	Frank Willoughby <frankw @ in . net>
Date:	Fri, 8 Mar 96 08:05:44 -0500
To:	firewalls @ GreatCircle . com

Verily, Rick Smith at 03:46 PM 3/7/96 -0600, did write:


>>...but i'm sure, it's only a question of time till vendors will offer
>>both, application level and packet filtering firewalls. 

Perhaps - although I doubt if they would incorporate both into the same
product.

>it would be
>>a very good argument if they are acting as a consulter, too.
>

I disagree here.  Having the firewall vendor acting as a consultant puts
the vendor in a conflict-of-interest situation.  (Sort of like turning
the keys of the prison over to the inmates and telling them they are not
supposed to leave the premises).


>I don't see much sense in putting application gateways and packet
>filters in the same box, or hooking them up in parallel. If the
>networks in question needs the degree of separation provided by an
>application gateway, then you're dilluting the effect by letting a
>filtered packet flow in along with it.
>

Agreed.  Putting different levels of security in parallel will ensure
that the weaker of the two will be used to bypass the stronger security.

Also, it is a good idea to put an IP Packet Filter (on the Internet/untrusted
side) in series with the firewall (with the IP Packet Filter set up so
that it filters the exact same items as the firewall).  There are two 
advantages to this:

o There will be an increase in performance in the firewall.  
  Since the IP Packet Filter is blocking services that the firewall will
  also block, the firewall won't be wasting its CPU resources blocking a 
  connection which is going to be rejected anyway.

o The IP Packet Filter can act as a crude (and inadequate) first layer of 
  defense in protecting the company's networks.  If the Firewall Admin 
  makes a mistake in setting up the firewall rules, the IP Packet Filter 
  will help reduce the risk (somewhat) of the company's exposure to the
  Internet.  While a successful attack is possible under these circumstances,
  it may buy enough time for Firewall Admin to catch the mistake and take
  appropriate corrective actions.


In the above instances, a router may be sufficient to serve as the IP 
Packet Filter (a low-cost option worth considering).  For the ultra-
paranoid who can afford it, place a stateful IP Packet Filter in series
between the external router & the (Applications Gateway) Firewall.

>Rick.
>smith @
 sctc .
 com       secure computing corporation - ISO 9001 certified!


Best Regards,


Frank

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.

Fortified Networks Inc. - Information Security Consulting
Phone: (317) 573-0800   - http://www.fortified.com
Home of the Free Internet Firewall Evaluation Checklist

Follow-Ups:

Re: Eternal war: gateway versus filtering
From: Rolf Weber <weber @ iez . com>
Re: Eternal war: gateway versus filtering
From: "Paul D. Robertson" <proberts @ clark . net>

Indexed By Date	Previous:	Re: FireWall-1 Unofficial Web Site From: Darren Reed <avalon @ coombs . anu . edu . au>
Indexed By Date	Next:	FW: Security of Networked Workstations with dial-up PPP Intern et!!! From: "Husa, Carl" <carl @ crtinc . com>
Indexed By Thread	Previous:	Re: Eternal war: gateway versus filtering From: Rick Smith <smith @ sctc . com>
Indexed By Thread	Next:	Re: Eternal war: gateway versus filtering From: "Paul D. Robertson" <proberts @ clark . net>