Re: [fw-wiz] Evolution of Firewalls
From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 03/10/04
- Previous message: Dale W. Carder: "Re: [fw-wiz] Re: firewall-wizards digest, Vol 1 #1229 - 18 msgs"
- In reply to: Chunduru Rama Krishna Prasad: "Re: [fw-wiz] Evolution of Firewalls"
- Next in thread: Marcus J. Ranum: "Re: [fw-wiz] Evolution of Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Wed, 10 Mar 2004 08:20:40 +0530
On 09/03/04 09:38 +0530, Chunduru Rama Krishna Prasad wrote:
> Hi Kang,
>
> Application proxy firewalls run based on the applications. Example new
> application comes in market again you have to write new application proxy .
Correct. From a security PoV, this is a good thing. You have another
implementation for the protocol analyser, hopefully by different people
who keep an eye on security and hence will have less/different bugs.
> Stateful packet inspection firewall is better than proxy firewalls.
Nope. SPF is a partial implementation of an ALG.
> Other things which you may would like to consider are:
> 1. Common attack detection and prevention.
I would prefer not to have to my IDS and firewall mixed up.
A firewall policy of block everything and then allow what is needed
works best. And with an ALG in the middle, you get to stop those
attacks, or deal with them as you wish.
> 2. ALG Support (There are some applications that don't work
> without ALG support such as H.323, FTP, RTSP, SQL*NET,
> based on your requirement DNS for twice NAT)
Welcome to the world of proxies. FTP is an inherently broken protocol,
but passive mode ftp will work through simple packet filters.
> 3. Performance.
A SPF would be slightly faster. I am not so sure about that on modern
machines. The advantages of a proxy on modern hardware well outweigh the
disadvantages of a pure packet filter.
> 4. Flexible user interface.
*Scriptability*
> 5. Type of NAT support.
Proxies don't need this. Nice, isn't it?
> 6.Do vulnerability scanning for the firewall.Search in the internet for
> utilities like nessus etc.,
True.
>
> Analyze your security requirements and make sure that firewall satisfies
> your needs.
Perfectly correct here.
Depending on the budget, I would go with a combination of a frontend SPF
and then proxies behind it rather than throwing all the load on a single
box. IDS placement as required.
Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Dale W. Carder: "Re: [fw-wiz] Re: firewall-wizards digest, Vol 1 #1229 - 18 msgs"
- In reply to: Chunduru Rama Krishna Prasad: "Re: [fw-wiz] Evolution of Firewalls"
- Next in thread: Marcus J. Ranum: "Re: [fw-wiz] Evolution of Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
