Hi Pedro,
Even if I am working for Cisco, may I add the following inline
comments ?
You should not confuse between:
- packet filtering routers i.e. plain Cisco or xxx routers
with cumbersome and intrecate access control lists
- a firewall component which use a more evolved inspection
technique like PIX or Firewall-1
At 09:29 4/06/97 +0100, Pedro Salgueiro wrote:
>Hi to all,
>
>I've been "watching" the discussion regarding the differences between
packet-filtering and application level firewalls. I believe that there are
some:
>1 - Packet filtering firewalls are more difficult to manage (It is very
simple to mis-configure => less secure).
>It may be very complicated establishing rules.
True for routers, not true for components like PIX or Firewall-1. The
later are more protocol aware and thus ACL are much easier to configure
>2 - Packet filter systems are always routing packets (so "fail-open" may
occur). A well known contructor firewall crashed with a ping attack and
routed all the packets from the insecure network to the secure one.
True again for routers, but, false for PIX/FW-1
>3 - If you are using a packet filter system and you provide SMTP, HTTP,
etc. you cannot control what the users do with those protocols,i.e., you
open or close a port. Application level firewalls provide secure daemons
of those protocols.
True again for routers, but, false for PIX/FW-1. The later
have the knowledge of HTTP, SMTP, ... protocols and actually
analyse the traffic to make their decision.
Hope this helps
>Regards,
>
>Pedro Salgueiro
>
>
>Data General Portugal
>Tel. +351 - 1 - 4129600
>Fax. +351 - 1 - 4129699
>mailto:psalgueiro @
pt .
europe .
dg .
com
>
>R. Dr. António Loureiro Borges nº2
>Arquiparque - Miraflores
>1495 Algés
>Portugal
>______________________________________________
>"Don't take life too serious no one gets out alive!!!! :-)"
>
>* These are my own opinions and do not reflect those of the company *
>
>----------
>From: Mike Jones
>Sent: quarta-feira, 4 de junho de 1997 8:55
>To: mfiocchi @
otm .
it; firewalls @
GreatCircle .
COM; carlsonp @
sprynet .
com
>Subject: Re: PIX and Firewall-1
>
>Peter Carlson writes....
>> There are many comparisons made by datacomm, lan times, ziff-davis and
>> others. Keep in mind that both pix and fw-1 are glorified packet filters,
>> even though they have a fancy name for it. I wouyld stick with an
>> application level gateway. They are well accepted and known for being more
>> secure.
>
>Many things are known that aren't so. This claim comes by periodically
>in this forum, and I have yet to get an answer to this question: in
>whatway are application level gateways more secure than, say, FW-1 or PIX?
>There are certainly capabilities that can be provided via application
>proxies that can't be provided by any filter-based technologies, but what
>types of attacks are a FW-1 or a PIX vulnerable to that application
>proxies aren't?
>--
> Mike Jones
> Sr. Technology Advisor
> UNIFIED Technologies
>
>
|
|
