On Fri, 8 Mar 1996, Frank Willoughby wrote:
> >>...but i'm sure, it's only a question of time till vendors will offer
> >>both, application level and packet filtering firewalls.
> Perhaps - although I doubt if they would incorporate both into the same
Though the application level stuff is limited (telnet, FTP, SMTP -- not
sure if SOCKS really counts), IBM currently offers this with Secure Network
> >it would be
> >>a very good argument if they are acting as a consulter, too.
> I disagree here. Having the firewall vendor acting as a consultant puts
> the vendor in a conflict-of-interest situation. (Sort of like turning
> the keys of the prison over to the inmates and telling them they are not
> supposed to leave the premises).
> >I don't see much sense in putting application gateways and packet
> >filters in the same box, or hooking them up in parallel. If the
> >networks in question needs the degree of separation provided by an
> >application gateway, then you're dilluting the effect by letting a
> >filtered packet flow in along with it.
> Agreed. Putting different levels of security in parallel will ensure
> that the weaker of the two will be used to bypass the stronger security.
Only if you rely exclusively on both layers of protection in the same box.
> Also, it is a good idea to put an IP Packet Filter (on the Internet/untrusted
> side) in series with the firewall (with the IP Packet Filter set up so
> that it filters the exact same items as the firewall). There are two
> advantages to this:
> o There will be an increase in performance in the firewall.
> Since the IP Packet Filter is blocking services that the firewall will
> also block, the firewall won't be wasting its CPU resources blocking a
> connection which is going to be rejected anyway.
If you buy a big enough box, this isn't an issue :) In my observations,
CPU doesn't seem to ever be the problem anyway.
> o The IP Packet Filter can act as a crude (and inadequate) first layer of
> defense in protecting the company's networks. If the Firewall Admin
> makes a mistake in setting up the firewall rules, the IP Packet Filter
> will help reduce the risk (somewhat) of the company's exposure to the
> Internet. While a successful attack is possible under these circumstances,
> it may buy enough time for Firewall Admin to catch the mistake and take
> appropriate corrective actions.
> In the above instances, a router may be sufficient to serve as the IP
> Packet Filter (a low-cost option worth considering). For the ultra-
> paranoid who can afford it, place a stateful IP Packet Filter in series
> between the external router & the (Applications Gateway) Firewall.
As long as you continue to screen in front of and behind the
proxy/screen, then it's just another level of protection.
Since most of us buy the same sort of router for all our routing needs (I
don't, but then I'm paranoid), there could be some merit in having the
'wall do its own filtering. So long as it *augments* the screening
routers and doesn't *replace* them.
Paul D. Robertson "My statements in this message are personal opinions
net which may have no basis whatsoever in fact."