Verily, Rick Smith at 03:46 PM 3/7/96 -0600, did write:
>>...but i'm sure, it's only a question of time till vendors will offer
>>both, application level and packet filtering firewalls.
Perhaps - although I doubt if they would incorporate both into the same
>it would be
>>a very good argument if they are acting as a consulter, too.
I disagree here. Having the firewall vendor acting as a consultant puts
the vendor in a conflict-of-interest situation. (Sort of like turning
the keys of the prison over to the inmates and telling them they are not
supposed to leave the premises).
>I don't see much sense in putting application gateways and packet
>filters in the same box, or hooking them up in parallel. If the
>networks in question needs the degree of separation provided by an
>application gateway, then you're dilluting the effect by letting a
>filtered packet flow in along with it.
Agreed. Putting different levels of security in parallel will ensure
that the weaker of the two will be used to bypass the stronger security.
Also, it is a good idea to put an IP Packet Filter (on the Internet/untrusted
side) in series with the firewall (with the IP Packet Filter set up so
that it filters the exact same items as the firewall). There are two
advantages to this:
o There will be an increase in performance in the firewall.
Since the IP Packet Filter is blocking services that the firewall will
also block, the firewall won't be wasting its CPU resources blocking a
connection which is going to be rejected anyway.
o The IP Packet Filter can act as a crude (and inadequate) first layer of
defense in protecting the company's networks. If the Firewall Admin
makes a mistake in setting up the firewall rules, the IP Packet Filter
will help reduce the risk (somewhat) of the company's exposure to the
Internet. While a successful attack is possible under these circumstances,
it may buy enough time for Firewall Admin to catch the mistake and take
appropriate corrective actions.
In the above instances, a router may be sufficient to serve as the IP
Packet Filter (a low-cost option worth considering). For the ultra-
paranoid who can afford it, place a stateful IP Packet Filter in series
between the external router & the (Applications Gateway) Firewall.
com secure computing corporation - ISO 9001 certified!
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Fortified Networks Inc. - Information Security Consulting
Phone: (317) 573-0800 - http://www.fortified.com
Home of the Free Internet Firewall Evaluation Checklist