Fwd: RE: PIX sux? (know Stateful vs Application)

[Predrag Zivic <pzivic () yahoo com>]

That is exactly my point. Don't put all your eggs in
one basket. Future? Maybe yes, although I think no;
but could be wrong, who knows. We can just guess...
However, multiple layers and points of access should
be addressed and analyzed. Statement that the firewall
(any) would protect one's company from Internet
attacks is misleading. 
Pez

--- Shaun Moran <Shaun () TheMorans Com> wrote:
> From: "Shaun Moran" <Shaun () TheMorans Com>
> To: "Owner-Firewall-Wizards"
> <owner-firewall-wizards () lists nfr net>,
>         "Predrag Zivic" <pzivic () yahoo com>
> Subject: RE: PIX sux? (know Stateful vs Application)
> Date: Mon, 27 Dec 1999 14:29:53 +1000
> Reply-to: "Shaun Moran" <Shaun () TheMorans Com>
>
> I agree that Stateful technologies (i.e.: Layer 3)
> will not stop against
> application level attacks, but also there are
> serious risks with Proxy
> (application Level) technologies if they do not
> protect the firewall itself
> against Layer 3 attacks.
>
> Application level firewalls could have the ability
> to stop against
> application attacks (i.e.: MS RDAC) but how many of
> them actually do protect
> against these attacks ??? Most application level
> Firewalls I know simply
> relay the HTTP request to the Internal Servers.
>
> Both types of Firewalls correctly designed and
> implemented will protect
> against the majority of the attacks from the
> Internet BUT with the
> technology available today you can't put all your
> eggs in one basket and
> relay JUST on the Firewall. You have to  think of
> the whole network and
> apply security to every part of it (access control,
> patches, design, etc)
>
> As a footnote - both Stateful and application level
> firewalls are slowly
> merging into the same thing. Checkpoint have their
> security servers which
> are basically application proxies and products like
> Gauntlet can be
> configured to only proxy the first couple of packets
> and then 'route' the
> remainder using Stateful technologies.
>
> I welcome the day when you can put your trust into a
> firewall to do it all
> (and some products are getting there) but in my
> experience that day is still
> pretty far away.
>
> Shaun
>
> Actually - I'm really surprised that the open source
> movement hasn't
> produced any firewall products that even come close
> to commercial products.
> In just about every other software area - the open
> source version is as good
> if not better than some of the commercial products
> (eg: Squid)
>
>
>
> -----Original Message-----
> From: owner-firewall-wizards () lists nfr net
> [mailto:owner-firewall-wizards () lists nfr net]On
> Behalf Of Predrag Zivic
> Sent: Friday, 24 December 1999 5:28 AM
> To: Ryan Russell
> Cc: firewall-wizards () nfr net
> Subject: Re: PIX sux? (was Re: Start watching your
> logfiles folks!)
>
>
> Well,
> --- Ryan Russell <Ryan.Russell () sybase com> wrote:
> > > Since PIX is a network level firewall, there are
> > quite
> > > a few OSI levels that can be used to attack
> you...
> > ...The PIX can't really touch layer 1, is that
> what
> > you meant?
> >
> > > Although your site is under attack PIX will not
> > report
> > > any errors or stop the unauthorized activity.
> >
> > My FW-1 firewall (which is the same basic
> technology
> > as the PIX) reports on and protects from quite
> > a few things.
> All I am trying to say here is that both FW-1 & PIX
> will not be able to catch application layer attacks.
> I
> don't question the "firewalling" capabilities of
> FW-1
> & PIX or would like to start a discussion on
> statefull
> vs. proxy.
> One would think about application level attacks and
> bring a different type of technology to
> support/compliment firewalls. Firewalls (PIX & FW-1)
> will neither help in all situations nor are a total
> solution for all Internet based attacks.
>
> Pez
>
> P.S. One would think about the mail viruses (maybe
> even better, trojans) that travel over the Internet,
> although we have firewalls...
_________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at
> http://mail.yahoo.com


__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com