In regards to the article in Info World, it mentions that Firewall-1 has
what would seem to be a serious design flaw. At boot time, the in.routed
router daemon was started before the firewall software, creating a
window of opportunity (2 to 3 seconds ?) in which the internal network
is exposed. This was especially surprising to me, as it states in the
manual to not use extended IP access lists on the router to filter
traffic, but to rather route *all* incoming traffic to the firewall. I
quote: "Use routers to provide proper network connectivity. Use a
firewalled gateway behind the router to perform the filtering
We are currently considering Firewall-1, because of it's flexibility and
it's "Stateful Packet Inspection" of protocols such as UDP. I am very
curious to know how anyone on the list has resolved this issue. I would
think that one would only need to change the order in which these things
are started by editing the startup scripts. If not, what did others out
there do to address this?
If this is a topic that has already been discussed, please feel free to
contact me directly.
Thanks in advance for your help,
>From: Christopher Klaus[SMTP:cklaus @
>Sent: Friday, August 02, 1996 2:13 PM
>To: firewalls @
>Subject: Info World Firewall Articles
>In this weeks InfoWorld, they have done a comparision of many of the
>firewalls. Might be worthwhile to take a look at if you are going to
>There's also an article in InfoWorld , July 29, 1996 Issue, on Page 79
>with Marcus Ranum & I discussing 'Does scanning for vulnerabilities
>firewall is safe?'
>Thought it might be worth taking a look at if you missed it.
>Christopher William Klaus Voice: (404)252-7270. Fax: (404)252-2427
>Internet Security Systems, Inc. "Internet
>Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328 your network
>Web: http://iss.net/ Email: cklaus @
net before the