-----Original Message-----
From: Eric Vyncke [SMTP:evyncke @
cisco .
com]
Sent: Friday, June 06, 1997 7:55 PM
To: Jonathan M. Bresler; Cy Ardoin
Cc: Firewalls @
GreatCircle .
COM
Subject: Re: PIX and FW-1 (packet filter Question)
At 13:18 5/06/97 -0400, Jonathan M. Bresler wrote:
>
>>I don't think there is anything an application firewall can
>>do that can't also be done by a "packet filter" firewall. The
>
> trivial example:
> a smtp application level proxy can disable the "debug" command
>for every sendmail behind that firewall.
This kind of stuff is also done in some full-state inspection
firewalls :-)
What about the sort of 'potential' nasties such as Java and Active-X? Also stripping of sendmail clever options via SMAP! The default security policy of a strong firewall is to deny anything not specifically allowed - if you cannot filter at the application level then you cannot control options such as these.
My (paranoid) philosophy is that if you don't expect or understand anything in the comms or application protocol, then bar it from transcending the firewall pending a half-decent business or technical case to allow it through.
>
>>new packet filter firewalls are not like the old Cisco/Bay router
>>filters. The new systems operate at the network layer, but they
>>have knowledge of the protocols and applications. They
>>open up the packets and modify the data. These systems are
>>doing content filtering and other "application" types of operations.
>>Yes, not all of them do these things, but many do, and new
>>feature/functions are being added to these systems every year.
>
>jmb
>
>
>--
>Jonathan M. Bresler 202-452-2831 breslerj @
frb .
gov
>MS-169 Federal Reserve Board of Governors Washington DC 20551
>Speaking for myself. Others speak for the Federal Reserve Board of Governors
>
>
Eric Vyncke
Technical Consultant Cisco Systems Belgium SA/NV
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: evyncke @
cisco .
com Mobile: +32-75-312.458
|
|
