Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: PIX sux? (know Stateful vs Application)

From: Frederick M Avolio <fred () avolio com>
Date: Tue, 28 Dec 1999 09:12:46 -0500
At 02:29 PM 12/27/99 +1000, Shaun Moran wrote:

As a footnote - both Stateful and application level firewalls are slowly
merging into the same thing. Checkpoint have their security servers which
are basically application proxies and products like Gauntlet can be
configured to only proxy the first couple of packets and then 'route' the
remainder using Stateful technologies.
I disagree. I would say "many firewalls are hybrids, combining firewall gateway technologies (filtering, circuit, and application)." This has been the case with some since the first non-router firewall was shipped. The question, if one cares about the technology (and different types of firewalls have the *ability* to be more granular in what they do than others), is "are the different technologies combined in series (AND) or parallel (OR). For example, the first commercial firewall -- DEC SEAL -- did it in series. The Gauntlet technology you mention looks like it also does it in series. 


I welcome the day when you can put your trust into a firewall to do it all
(and some products are getting there) but in my experience that day is still
pretty far away.
It is "far away" in the past. DEC SEAL, TIS FWTK, TIS Gauntlet, ANS Interlock, and Raptor Eagle all "did it all" when they first shipped. What has changed is the definition of "it." "It" has changed as the Internet -- and so its use -- has grown. As long as new "gotta have this" services are invented for the Internet, the most particular firewalls will always lag behind, at least some. 


Fred
Avolio Consulting
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/
Previous By Date Next
Previous By Thread Next

Current thread: