Re: [fw-wiz] Evolution of Firewalls
From: ArkanoiD (ark_at_eltex.ru)
Date: 03/09/04
- Previous message: Mike Hoskins: "RE: [fw-wiz] Multiple small switches vs. a single big one"
- In reply to: Dave Piscitello: "Re: [fw-wiz] Evolution of Firewalls"
- Next in thread: Patrick M. Hausen: "Re: [fw-wiz] Evolution of Firewalls"
- Reply: Patrick M. Hausen: "Re: [fw-wiz] Evolution of Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Dave Piscitello <dave@corecom.com> Date: Tue, 9 Mar 2004 12:24:33 +0300
nuqneH,
There is major difference: proxy does analysis and reconstructs data
stream from analysed data, and stateful ispection system can only decide
to let it pass or no. The impact is obvious: it is much more likely for
stateful inspection system to miss thing that is not known to it or to
exploit a bug when inspection system parses data differently from
the communication endpoint. The proxy output stream, not only general
verdict, depends on parsing results.
YMMV and it is implementation dependant; a bad proxy may implement
protocol without proper detalization and a good stateful inspection engine
may behave better, but proxy technology in general is clearly superior
for real world.
On Mon, Mar 08, 2004 at 02:37:02PM -0500, Dave Piscitello wrote:
> Stateful inspection, deep packet inspection, application protection,
> application intelligence, application aware ...
>
> Lots of names for the same security functionality: examining application
> headers and application data streams for attacks and blocking them. You can
> and some vendors still do this using proxy architecture, while some use the
> same stateful packet inspecting methods they used to examine network
> protocol headers.
>
> The most secure firewall? Probably has less to do with proxy vs. stateful
> inspection than policy, implementation/configuration, and the admin at the
> policy console.
>
> At 08:48 PM 3/7/2004 -0500, Frederick M Avolio wrote:
> >At 11:56 PM 3/4/2004 +0800, skpoo@pacific.net.sg wrote:
> >>... Our team is currently debating if Stateful Deep Inspection firewall
> >>is going be the new technology to replace the Application Proxies
> >>firewall which deem to be most secure currently. ...
> >
> >At the risk of being obvious -- or worse, being called a dinosaur :-), It
> >depends. Do you care more about usability or security? When push comes to
> >shove is it more important to never stop a connection at the risk of the
> >possibility of something bad slipping through? It really is as simple as
> >that. I tell people in one of my classes, you hear about it if you
> >misconfigure your firewall to reject a required action, but will rarely
> >hear about if if you allow too much through. (I stated it as "You always
> >hear about conservative errors but rarely about liberal ones," but that
> >could be taken wrong now-a-days.)
> >
> >Fred
> >
> >_______________________________________________
> >firewall-wizards mailing list
> >firewall-wizards@honor.icsalabs.com
> >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Mike Hoskins: "RE: [fw-wiz] Multiple small switches vs. a single big one"
- In reply to: Dave Piscitello: "Re: [fw-wiz] Evolution of Firewalls"
- Next in thread: Patrick M. Hausen: "Re: [fw-wiz] Evolution of Firewalls"
- Reply: Patrick M. Hausen: "Re: [fw-wiz] Evolution of Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
