Firewalls: RE: PIX and FW-1 (packet filter Question)

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	RE: PIX and FW-1 (packet filter Question)
From:	Cy Ardoin <ardoin @ cycon . com>
Date:	Wed, 4 Jun 1997 19:45:07 -0400 (EDT)
To:	Firewalls @ GreatCircle . COM
In-reply-to:	<199706041811 . LAA27022 @ honor . greatcircle . com>

I don't think there is anything an application firewall can
do that can't also be done by a "packet filter" firewall.  The
new packet filter firewalls are not like the old Cisco/Bay router
filters.  The new systems operate at the network layer, but they
have knowledge of the protocols and applications.  They
open up the packets and modify the data.  These systems are
doing content filtering and other "application" types of operations.
Yes, not all of them do these things, but many do, and new
feature/functions are being added to these systems every year.

The key trade-off is performance.  Network layer filters want
to do everything fast.  That's required when you are blocking
interupts and other low-level things.  So there are somethings
done by appliction gateways that these systems are reluctant to
do for performance reasons. Nevertheless, the design doesn't
prohibit packet filters from performing the functions found in
most application gateways.

I don't think I would want an application gateway securing
a 10Mbit or 100+Mbit pipe to the Internet.  

On the other side, packet filters can do things that an application
gateway can't do; namely, network-network NAT and bi-direction 
NAT.  Application gateway can't do these things because they must rely
on the underlying OS to handle the network layer and deliver the packets
to the applications.  Now before I get flamed, yes, application gateways
can do NAT, but only very simple NAT unless you wedge a process into
the kernel to intercept packets before they reach the routing decision.
But if you do that, you've just turned your application gateway into
a packet filter (and you derive all the "bad" features attributed to
packet filters).  

--
Cy Ardoin
ardoin @
 cycon .
 com
--------------------------------------------------------------------
-- Cypress Consulting, Inc.            |  Voice: 703/383-0247     ---
-- 4101 Olympic Way, Alexandria VA     |  Fax:   703/383-0320     ----
--           and                       |                          ----
-- 11240 Waples Mill Road, Suite 403,  |  http://www.cycon.com/   ---
--       Fairfax, VA 22030             |                          --
--------------------------------------------------------------------

Follow-Ups:

Re: PIX and FW-1 (packet filter Question)
From: "Jonathan M. Bresler" <jmb @ FRB . GOV>
RE: PIX and FW-1 (packet filter Question)
From: "Daniel J Blander - Sr. Systems Engineer for ACS" <Daniel . Blander @ ACSacs . Com>

Indexed By Date	Previous:	Re: Plug-gw- One to many relationship From: Bernd Eckenfels <lists @ lina . inka . de>
Indexed By Date	Next:	Re: Do people host WWW servers behind firewalls? From: Mike Hedlund <mike @ isi . net>
Indexed By Thread	Previous:	Transparent Proxies for Linux From: Hans Aschauer <Hans . Aschauer @ physik . uni-muenchen . de>
Indexed By Thread	Next:	RE: PIX and FW-1 (packet filter Question) From: "Daniel J Blander - Sr. Systems Engineer for ACS" <Daniel . Blander @ ACSacs . Com>