Firewalls: Re: PIX and FW-1 (packet filter Question)

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: PIX and FW-1 (packet filter Question)
From:	"Jonathan M. Bresler" <jmb @ FRB . GOV>
Date:	Thu, 05 Jun 1997 14:42:53 -0400
To:	Cy Ardoin <ardoin @ cycon . com>
Cc:	"Jonathan M. Bresler" <jmb @ FRB . GOV>, Firewalls @ GreatCircle . COM
In-reply-to:	Your message of "Thu, 05 Jun 1997 14:11:33 EDT." <Pine . BSF . 3 . 96 . 970605140358 . 13267H-100000 @ live-oak . cycon . com>

>On Thu, 5 Jun 1997, Jonathan M. Bresler wrote:
>
>> 
>> >I don't think there is anything an application firewall can
>> >do that can't also be done by a "packet filter" firewall.  The
>> 
>> 	trivial example:
>> 	a smtp application level proxy can disable the "debug" command
>> for every sendmail behind that firewall.
>
>Finding and removing the "debug" command from smtp connections at the 
>packet layer isn't much different than finding and altering the PORT and
>PASV part of the FTP command  and all the NAT style packet filters
>modify the FTP commands.  It's not something packet filters do, but
>it is no more difficult than many of the things they already do.

Cy,  the difficulty of implementing this is not the point.  the point is
that application level proxies provide this.  packet filters, stateful or
not, do not provide this.

aint hard to apply a tourniquet, but until its applied, someone bleeds 
to death ;)

jmb

References:

Re: PIX and FW-1 (packet filter Question)
From: Cy Ardoin <ardoin @ cycon . com>

Indexed By Date	Previous:	Re: ssh proxy for fwtk From: Benedikt Stockebrand <benedikt @ devnull . ruhr . de>
Indexed By Date	Next:	RE: ISP Connection From: "Feeney, Tim" <Tim . Feeney @ fmr . com>
Indexed By Thread	Previous:	Re: PIX and FW-1 (packet filter Question) From: Cy Ardoin <ardoin @ cycon . com>
Indexed By Thread	Next:	Re: PIX and FW-1 (packet filter Question) From: Craig Brozefsky <craig @ onshore . com>