Re: Firewall comparison in Data Communications

["Ge' Weijers" <ge () progressive-systems com>]

On Sat, May 29, 1999 at 03:21:59PM -0700, Robert Graham wrote:
> It depends on where a firewall hooks into the TCP/IP stack. I know that
> BlackICE (an IDS with some minor firewall functionality) hooks in
> between the adapter and the TCP/IP stack. Because of this, it has to
> completely re-implement the TCP/IP stack that it is filtering, meaning
> any/all features/bugs of the Microsoft stack are irrelevent.

'completely re-implement the TCP/IP stack' is an exageration. You can
easily plug a packet filter between the network card device driver and
the network stack(s) proper without having to reinvent the TCP stack,
even if you want to track every single TCP and UDP 'connection' and
maintain connection state. The firewall is not going to request
retransmits on its own, it's not going to route etc.

The bugs in the host O/S are still relevant, if they can be exploited
using packets that look valid to the firewall. Some exploits use
syntactically valid packets, and a packet-at-a-time firewall may not
protect you against that if you allow incoming traffic to 

Ge'

-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220