If I may offer my opinion without getting beat
up for being an advocate of FW1 over proxies... :)
FW1 does offer user authentication (which I don't use)
for inside users, and users on the outside who you
want to authenticate to get in...can use s/key etc...
Out of the box, it doesn't log web page contents
or URLs. It does log (if you tell it to) every
connection essentially on a transport level. You
get the to and from addresses, and the to and from port
number.
Having said that, there are addons (which I haven't used)
that will scan for viruses and block out java, so I suppose
it's not inconceivable that it could log most whatever you like.
I think the main reason for using it is flexibility and transparancy.
How secure it is compared to a proxy is the main point of
contention I believe. I allow a wide range of connection types,
and I think having one solution that can handle them all vs.
a bunch of different proxy servers is more secure. Also, it should
be noted that I'm not particularly worried about trojans or
bad applets. My users can download anything they like via
FTP or HTTP, so if they are determined to screw themselves, they can.
I also believe that virus protection is better left on the client.
The other side of the arguement is that if you only want to allow
one or two service types, one or two proxies may be more secure,
and it will probably be much easier to parse out things at higher layers
(i.e. Java, Active-X, bad words, whatever..) than it would on a solution
that starts at the network layer and works up.
Ryan
---------- Previous Message ----------
To: firewalls
cc:
From: c60201 @ zone.arnold.af.mil ("Sean Fuller") @ smtp
Date: 08/15/96 08:01:58 PM
Subject: Re: Security implications of DHCP?
On Aug 15, 5:27pm, Nassim Chaabouni <chaabouni @
houston .
omnes .
net> wrote:
> >[a bunch of stuff I said deleted]
>
> Forget about proxies and use FW1
Thanks. What brilliant insight. ;)
I assume you are talking about Firewall 1?
The whole story is kinda funny when I look back on it. I actually
independently invented proxies 4 years ago. I coded the first one
on a MicroVAX. It was a generic thing, a lot like SOCKS. The
first application I proxied was FTP and the second was Mosaic 0.9.
It was a blast. The whole thing has grown up since then, and I
have learned a lot. Why ruin all my fun? :)
There is a move to standardize within the Air Force. Don't know what
we'll pick yet, but we are definitely looking at everything available,
including Firewall 1.
Why would you suggest FW1 over a proxy firewall?
Do you know if FW1 supports user authentication, or application specific
logging (like we do for Web accesses here)?
|
|
