Firewalls: RE: PIX and Firewall-1

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	RE: PIX and Firewall-1
From:	Bill Stout <stoutb @ pios . com>
Date:	Wed, 04 Jun 1997 14:12:31 -0700
To:	firewalls @ greatcircle . com

Peter Carlson writes....
>in whatway are application level gateways more secure than, say, FW-1 or PIX?
>There are certainly capabilities that can be provided via application 
>proxies that can't be provided by any filter-based technologies, but what
>types of attacks are a FW-1 or a PIX vulnerable to that application
>proxies aren't?

Do not replace a proxy server with a 'State-based Firewall'.  State-based or
packet filter firewalls are being marketed well.  Engineers who work for
these companies know better than to replace proxies with filters, but
they're not stupid enough to kill potential sales.  ;)

Application proxies monitor commands sent at the application layer, and
reconstruct packets so that IP attacks can't be sent beyond the firewall.
(From what I understand), State-based (a.k.a. enhanced extended packet
filter) security devices inspect the first packet that comes across with
enhanced extended filtering rules and can include additional authentication.
If that packet passes all filtering rules, remaining packets of that session
are passed through without inspection.

A properly configured (Internet) firewall comprises of a proxy server
protected from the Internet by a packet filter.  The better the packet
filter (state-based or extended filter), the less work the proxy server has
to do as far as inspecting/denying traffic.  The packet filter can also
protect the proxy server from misc. IP-based attacks.

Good applications for packet filter/State-based firewalls are low-security
internet feeds and fast low-latency intranet (10/100/155MB/...) security
filtering.  Not everyone needs a full application proxy firewall, a subject
that comes up when I visit Mom-and-Pop small businesses that want a single
feed for their 10 PCs.

IMHO - State-based firewalls are 'only' packet filters, and for the
corporate environment should not replace the traditional proxy server, but
work in conjunction with one.



_____________________________________________________________________________
Bill Stout       (Systems Engineer/Consultant)         stoutb @
 pios .
 com
Pioneer Standard (Computer Systems & Components)       http://www.pios.com/
San Jose, CA     (Location of 1 of 52 U.S. offices)    (408) 954-9100
*My opinions do not reflect that of the company, and visa-versa, thankfully.*

Indexed By Date	Previous:	Re: getting passwd file via WWW From: girsch @ marben . com (Arnaud Girsch)
Indexed By Date	Next:	RE: PIX and Firewall-1 From: Bill Stout <stoutb @ pios . com>
Indexed By Thread	Previous:	RE: PIX and Firewall-1 From: Eric Vyncke <evyncke @ cisco . com>
Indexed By Thread	Next:	RE: PIX and Firewall-1 From: Bill Stout <stoutb @ pios . com>