If you're not going to filter anything, do you
need the firewall to primarily deny access to the
hosts except for the services you want reachable?
Regular packet filters would be good for that, unless
you're trying to get stats.
FW1has SYNDefender, which ought to be of
great interest to you guys, though I imagine
you've got most of your hosts patched for
SYN floods by now? :)
Ryan
patlee @
panix .
com on 10/29/97 11:18:46 AM
To: firewalls @
GreatCircle .
COM
cc: (bcc: Ryan Russell/SYBASE)
Subject: AG and SPF differences
Can someone tell me the main differences between AG and SPF firewalls from
the perspective that the firewall will be used for incoming traffic. i.e.
I'm not looking for something that'll let my internal users out. Actually
we're looking at two firewalls to sandwich the DMZ with. The one in front
needs primarily HTTP & HTTPS whereas the backend one would need to support
lots of other protocols. Ideally would an AG be better for the front end
and a SPF better for the backend?
If not, what does an AG buy me in the backend? Most AGs don't supported
protocols like RPC, SHTTP, SNMP, SQL*Net, and the usual ones NT uses so
I'll end up using generic proxies for these, right? Does an AG boil down to
simple packet filtering for non-supported protocols?
Even in the front end, what does an AG buy me for primarily *incoming*
traffic? I don't need URL filtering, virus scanning, controlling file
transfers, etc. etc. So in concept I'd agree AGs are more secure because
they have application knowledge. However, do a lot of the things AGs do
make sense for primarily incoming traffic?
Would appreciate any opinion ... even from vendors! 8-)
--
Patrick Lee <pat @
patlee .
org>
|
|
