Firewall Wizards mailing list archives
RE: PIX sux? (know Stateful vs Application)
From: "Shaun Moran" <Shaun () TheMorans Com>
Date: Mon, 27 Dec 1999 14:29:53 +1000
I agree that Stateful technologies (i.e.: Layer 3) will not stop against application level attacks, but also there are serious risks with Proxy (application Level) technologies if they do not protect the firewall itself against Layer 3 attacks. Application level firewalls could have the ability to stop against application attacks (i.e.: MS RDAC) but how many of them actually do protect against these attacks ??? Most application level Firewalls I know simply relay the HTTP request to the Internal Servers. Both types of Firewalls correctly designed and implemented will protect against the majority of the attacks from the Internet BUT with the technology available today you can't put all your eggs in one basket and relay JUST on the Firewall. You have to think of the whole network and apply security to every part of it (access control, patches, design, etc) As a footnote - both Stateful and application level firewalls are slowly merging into the same thing. Checkpoint have their security servers which are basically application proxies and products like Gauntlet can be configured to only proxy the first couple of packets and then 'route' the remainder using Stateful technologies. I welcome the day when you can put your trust into a firewall to do it all (and some products are getting there) but in my experience that day is still pretty far away. Shaun Actually - I'm really surprised that the open source movement hasn't produced any firewall products that even come close to commercial products. In just about every other software area - the open source version is as good if not better than some of the commercial products (eg: Squid) -----Original Message----- From: owner-firewall-wizards () lists nfr net [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Predrag Zivic Sent: Friday, 24 December 1999 5:28 AM To: Ryan Russell Cc: firewall-wizards () nfr net Subject: Re: PIX sux? (was Re: Start watching your logfiles folks!) Well, --- Ryan Russell <Ryan.Russell () sybase com> wrote:
Since PIX is a network level firewall, there arequitea few OSI levels that can be used to attack you......The PIX can't really touch layer 1, is that what you meant?Although your site is under attack PIX will notreportany errors or stop the unauthorized activity.My FW-1 firewall (which is the same basic technology as the PIX) reports on and protects from quite a few things.
All I am trying to say here is that both FW-1 & PIX will not be able to catch application layer attacks. I don't question the "firewalling" capabilities of FW-1 & PIX or would like to start a discussion on statefull vs. proxy. One would think about application level attacks and bring a different type of technology to support/compliment firewalls. Firewalls (PIX & FW-1) will neither help in all situations nor are a total solution for all Internet based attacks. Pez P.S. One would think about the mail viruses (maybe even better, trojans) that travel over the Internet, although we have firewalls... _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Current thread:
- PIX sux? (was Re: Start watching your logfiles folks!) Ryan Russell (Dec 24)
- <Possible follow-ups>
- Re: PIX sux? (was Re: Start watching your logfiles folks!) Predrag Zivic (Dec 26)
- RE: PIX sux? (know Stateful vs Application) Shaun Moran (Dec 27)
- RE: PIX sux? (know Stateful vs Application) Frederick M Avolio (Dec 28)
- RE: PIX sux? (know Stateful vs Application) David Lang (Dec 28)
- RE: PIX sux? (know Stateful vs Application) Dom De Vitto (Dec 28)
- Re: PIX sux? (know Stateful vs Application) Darren Reed (Dec 30)
- RE: PIX sux? (know Stateful vs Application) Shaun Moran (Dec 27)
- Re: PIX sux? (was Re: Start watching your logfiles folks!) Ryan Russell (Dec 27)