> >>...but i'm sure, it's only a question of time till vendors will offer
> >>both, application level and packet filtering firewalls.
> Perhaps - although I doubt if they would incorporate both into the same
that was my point to say, sorry for my unclear words.
> >>a very good argument if they are acting as a consulter, too.
> I disagree here. Having the firewall vendor acting as a consultant puts
> the vendor in a conflict-of-interest situation. (Sort of like turning
> the keys of the prison over to the inmates and telling them they are not
> supposed to leave the premises).
again, i didn't say it clear enough.
if a vendor offers both, he can advise his customers much better which art
of firewall would be the best for *this* customer.
the daily maintaining of the firewall is another story.
> Agreed. Putting different levels of security in parallel will ensure
> that the weaker of the two will be used to bypass the stronger security.
> Also, it is a good idea to put an IP Packet Filter (on the Internet/untrusted
> side) in series with the firewall (with the IP Packet Filter set up so
> that it filters the exact same items as the firewall). There are two
> advantages to this:
> o There will be an increase in performance in the firewall.
> Since the IP Packet Filter is blocking services that the firewall will
> also block, the firewall won't be wasting its CPU resources blocking a
> connection which is going to be rejected anyway.
no, i disagree.
i'm watching my connection and see that 99.9% of the packets are allowed
packets (i'm filtering only the real necessary, like IP-spoofing stuff,
all the other i want to welcome at my gate :-).
(BTW, if a gate is under attack, 99.9% isn't true anymore...but you can see
it as a feature, if a gate under attack becomes slow...;-)
i'm sure the additional task, packet filtering, decreases the performance
of the whole firewall system.
> o The IP Packet Filter can act as a crude (and inadequate) first layer of
> defense in protecting the company's networks. If the Firewall Admin
> makes a mistake in setting up the firewall rules, the IP Packet Filter
> will help reduce the risk (somewhat) of the company's exposure to the
> Internet. While a successful attack is possible under these circumstances,
> it may buy enough time for Firewall Admin to catch the mistake and take
> appropriate corrective actions.
> In the above instances, a router may be sufficient to serve as the IP
> Packet Filter (a low-cost option worth considering). For the ultra-
> paranoid who can afford it, place a stateful IP Packet Filter in series
> between the external router & the (Applications Gateway) Firewall.
Rolf Weber <weber @
com> | All I ask is a chance
IEZ AG D-64625 Bensheim | to prove that money
++49-6251-1309-113 | can't make me happy.