On Wed, 4 Jun 1997, Bill Stout wrote:
> Peter Carlson writes....
> >in whatway are application level gateways more secure than, say, FW-1 or PIX?
> >There are certainly capabilities that can be provided via application
> >proxies that can't be provided by any filter-based technologies, but what
> >types of attacks are a FW-1 or a PIX vulnerable to that application
> >proxies aren't?
You should check should out comp.security.firewalls for a good
discussion of these issues. PIX is a NAT capable router with a few
filtering rules thrown in, such things are hardly safe, architecturally,
and implementation wise. NAT is NOT, I repeat NOT! a security tool, and
should not be treated as a part of your security infrastructure. Nearly
all NAT tools are not designed with security in mind.
> Application proxies monitor commands sent at the application layer, and
> reconstruct packets so that IP attacks can't be sent beyond the firewall.
> (From what I understand), State-based (a.k.a. enhanced extended packet
> filter) security devices inspect the first packet that comes across with
> enhanced extended filtering rules and can include additional authentication.
> If that packet passes all filtering rules, remaining packets of that session
> are passed through without inspection.
I am not sure that all SMLI firewall use that method for determine a
packets validity.
> Good applications for packet filter/State-based firewalls are low-security
> internet feeds and fast low-latency intranet (10/100/155MB/...) security
> filtering. Not everyone needs a full application proxy firewall, a subject
> that comes up when I visit Mom-and-Pop small businesses that want a single
> feed for their 10 PCs.
I agree, we actually use Linux boxen in such situations. Our company has
a support infrastructure in place to keep those machines in good shape,
they are cheap for the client, and we have very intimate knowledge of
their workings(most of us in the company are Linux fans). We've been
doing this for a few years now I believe. It does routing, email, and
NAT for their PC/MAC network and often handles dial-in and printing
services as well. All parties involved know that this is not 'the most
secure' solution, but it's the most cost effective and flexible.
> IMHO - State-based firewalls are 'only' packet filters, and for the
> corporate environment should not replace the traditional proxy server, but
> work in conjunction with one.
I agree. It would rock is TIS got their IP packet filters really wacked
out, with all kinds of filtering options on packet headers. It works
well now, but I would like to really have the ability to write up some
insane rulesets.
Craig Brozefsky craig @
onshore .
com
onShore Inc. http://www.onshore.com/~craig
Development Team p_priority=PFUN+(p_work/4)+(2*p_cash)
References:
|
|
