Re: Firewalls: what's the use?

From: Chris Shepherd (
Date: 12/18/03

Date: Thu, 18 Dec 2003 11:38:03 -0500

Tim Haynes wrote:
> No, you're the one bandying around such phrases as "a firewall is JUST
> filtering/manipulating network traffic", and then proceeding to say that
> things that do exactly that somehow aren't firewalls.

I think trivializing something that does MUCH MORE than firewalling (packet
filtering, logging, traffic normalization, and so forth) by calling it a
firewall is to misunderstand the intended use of the software. For instance, a
Proxy can act like a firewall, however, to call a Proxy (mistakenly IMO) a
firewall is to ignore the other added benefits it can offer you. Yes, it offers
firewalling functionality, however, it is not just a firewall.

My stance on using the right single tool for the job stems from my experience as
a programmer. There are situations where it does not make sense to employ a
proxying firewall, or an application firewall, and so forth. I have also found
it is generally MUCH better to use separate firewalls and proxies and so forth,
rather than one service/daemon. By nature such a system (when configured equally
well) will be more secure. It goes back to that discussion on layers of security.

> The wiki article you allude to above seems to get it reasonably accurate,
> IMO. Note how it includes proxying as one way to get firewalling features.

I have never said proxies didn't provide firewalling features. I said proxies
are not firewalls. They include such functionality, but it is silly IMO to take
a proxy daemon and try and use it as a firewall for a large corporate network,
and not use its proxy features. It is first and foremost a proxy, that is what
its intended design is, and that is what it will likely function best as. This
is not true for all cases.

>>I hadn't realised this was going to devolve into a semantical discussion
>>about how to define a word. At any rate, this is incredibly off topic,
> It's entirely on-topic for cols.

Then start a new thread. Considering the subject of this thread, it is off-topic.

Chris Shepherd

Relevant Pages

  • Re: Proxy Firewalls as a security requirement
    ... > we use proxy firewalls instead of stateful inspection. ... There are lots and lots of generic TCP proxies available; ... defend itself against in-band data attacks. ... Anywhere I have need for a high-security firewall, ...
  • Re: [fw-wiz] dirty packet tricks?
    ... solve via promiscuously sucking up packets. ... restriction that your 'sideways' proxy box is it will have to be on a hub ... The firewall will have to suppress all ICMP errors to the internal network ...
  • Re: [fw-wiz] httport 3snf
    ... >> wouldn't have gotten SSH out of my firewall. ... > Postfix SMTP server with a wildcard MX that handed the mail that wasn't ... > destined to me off to the downstream MS stuff, and an HTTP proxy server ... All it needs is a written policx "Internet access is ...
  • Re: Kids bypassing firewall via web proxy sites
    ... We use a Sonicwall firewall, 3060, I subscribe to content fltering, ... I checked "Access to HTTP Proxy Servers" But I am still able to get to ... CyBlock, which does network proxy and filtering ...
  • Re: NAT is not a mechanism for securing a network.. but.. HELP!
    ... tell you a NAT router is a firewall. ... > There is this one hot chick at a major American news network, ... >proxy, and come to a chat room where her and I have been chatting, she has ... >admins at the station she works for. ...