Re: Linux firewall/IDS/NAT suggestions
From: Seth Arnold (sarnold_at_wirex.com)
Date: 06/03/03
- Previous message: Arthur Corliss: "Re: Linux firewall/IDS/NAT suggestions"
- In reply to: Jimi Thompson: "Re: Linux firewall/IDS/NAT suggestions"
- Next in thread: Alex Russell: "Re: Linux firewall/IDS/NAT suggestions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 3 Jun 2003 10:04:00 -0700 To: focus-linux@securityfocus.com
On Sun, Jun 01, 2003 at 09:52:38PM -0500, Jimi Thompson wrote:
> If you need routing gear, check out an open source project called
> Freesco.
It is my understanding Freesco is based on the 2.0.x series of kernels.
This means whatever firewall they provide is not going to be a stateful
firewall.
There are many benefits to a stateful firewall. In short, they require
viewing the TCP session setup packets before allowing the follow-on TCP
packets through the filter. Stateless firewalls cannot make this
requirement -- they typically filter only the session setup packets!
This means specially-crafted packets can slip right through the
firewall.
I don't know how big a concern this is for the original poster's
organizaion.. I _do_ know that stateful firewalls are just that much
nicer, so I'd recommend something newer than the freesco project. :)
-- "Learning curve encryption is much more powerful than eliptical curve encryption." -- Alan Olsen
- application/pgp-signature attachment: stored
- Previous message: Arthur Corliss: "Re: Linux firewall/IDS/NAT suggestions"
- In reply to: Jimi Thompson: "Re: Linux firewall/IDS/NAT suggestions"
- Next in thread: Alex Russell: "Re: Linux firewall/IDS/NAT suggestions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
