Firewalls: RE: PIX and Firewall-1

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	RE: PIX and Firewall-1
From:	Craig Brozefsky <craig @ onshore . com>
Date:	Fri, 6 Jun 1997 08:18:47 -0500
To:	Eric Vyncke <evyncke @ cisco . com>
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<3 . 0 . 32 . 19970606094942 . 006e0a64 @ brussels . cisco . com>

On Fri, 6 Jun 1997, Eric Vyncke wrote:

> Craig,
> 
> Cannot resist to reply :-) Beware that I'm working for Cisco Systems ;-)

Is cool.

> I both agree and disagree:
> 
> 1) NAT is NOT a security feature, I agree thus 200% with you
> 
> - PIX is very strong due to its fullstate inspection against
>   attacks for IP, TCP, ... protocols: SYN flooding, IP spoofing,
>   TCP/IP session hijakcing, ... It also randomized the TCP sequence
>   numbers of the TCP sessions going through it

I do not agree that 'fullstate inspection' makes PIX 'very strong'.  See 
previous thread.  I'm reluctant to start yet another SMLI vs. App Proxy 
showdown.

> - PIX knows about the internal of some protocols (from ICMP, to RealAudio
>   via HTTP) and is able to check / react on these protocols

Can I write filters for PIX that will be aware of the internals of 
protocols?  Or do I have ot wait for Cisco to write them?

Craig Brozefsky              craig @
 onshore .
 com
onShore Inc.                 http://www.onshore.com/~craig
Development Team             p_priority=PFUN+(p_work/4)+(2*p_cash)

References:

RE: PIX and Firewall-1
From: Eric Vyncke <evyncke @ cisco . com>

Indexed By Date	Previous:	Re: FW-1 and IP Forwarding on NT Box From: "Steve Rudolph" <srudolph @ datacommcorp . com>
Indexed By Date	Next:	RE: [FW1] Out of Band Data Attack against NT-Hosts From: "Jim E. Crawford" <jcrawford @ wilcom . net>
Indexed By Thread	Previous:	RE: PIX and Firewall-1 From: Eric Vyncke <evyncke @ cisco . com>
Indexed By Thread	Next:	RE: PIX and Firewall-1 From: Bill Stout <stoutb @ pios . com>