Cannot resist to reply :-) Beware that I'm working for Cisco Systems ;-)
At 10:47 5/06/97 -0500, Craig Brozefsky wrote:
>On Wed, 4 Jun 1997, Bill Stout wrote:
>> Peter Carlson writes....
>> >in whatway are application level gateways more secure than, say, FW-1
>> >There are certainly capabilities that can be provided via application
>> >proxies that can't be provided by any filter-based technologies, but what
>> >types of attacks are a FW-1 or a PIX vulnerable to that application
>> >proxies aren't?
>You should check should out comp.security.firewalls for a good
>discussion of these issues. PIX is a NAT capable router with a few
>filtering rules thrown in, such things are hardly safe, architecturally,
>and implementation wise. NAT is NOT, I repeat NOT! a security tool, and
>should not be treated as a part of your security infrastructure. Nearly
>all NAT tools are not designed with security in mind.
I both agree and disagree:
1) NAT is NOT a security feature, I agree thus 200% with you
2) but I agree at 0% with you when you say that PIX is just a NAT router
- PIX is not a router at all, it is not based on our IOS router software
- PIX is able to NAT but is not limited to NAT
- PIX is very strong due to its fullstate inspection against
attacks for IP, TCP, ... protocols: SYN flooding, IP spoofing,
TCP/IP session hijakcing, ... It also randomized the TCP sequence
numbers of the TCP sessions going through it
- PIX knows about the internal of some protocols (from ICMP, to RealAudio
via HTTP) and is able to check / react on these protocols
I'm stopping now because it is coming too commercial on
a technical list.
But, once again: the PIX is a secure and performent component
of most security architecture.
Technical Consultant Cisco Systems Belgium SA/NV
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: evyncke @
com Mobile: +32-75-312.458