Firewall Wizards mailing list archives
Re: Firewall Throughput
From: Andy Smith <andy () centralworks com>
Date: Sun, 10 Sep 2000 19:13:36 -0700
Here is a quote from a paper written in '98 written by Fred Avolio: "As security expert Bill Stout wrote on the firewall mailing list, "The purpose of a security device is to protect a network, not to be fast. Fast is what airline travelers want when passing through airport security, secure is what they want when they tumble through the air after their plane blows up." Stateful packet filters may be adequate for low risk Intranets, or in situations where raw throughput has priority over security. Application gateways should be the technology of choice for organizations that are serious about protecting their networks. " Anyone really concerned about security that owns a PIX (or any packet filtering, stateful inspecting device) should ask themselves the follow questions: Does your firewall do packet fragment reassembly or is the option to ignore all fragments? Does your firewall allow external systems to directly touch internal resources? Does the 3 way handshake occur before initiating a connection to the internal host? How many times have you had to upgrade your firewall? Which is more important, security or performance? Why would anyone concerned about security sacrifice security for performance? I'll answer the last question: Because their real concern is performance or.... they do not understand security. Andy Smith Darren Mackay wrote:
Darren, | What do you value more - throughput or security ? | | If you value security, the PIX isn't the answer, | IMHO. Are you saying PIX is not secure? Are you able to elaborate? I have never had any problem with pix, and it certainly has not failed any 'ethical attacks' that haven throwed against it (unlike other vendors, which can be really esoteric in their configs to get around known vulnerabilities). ps - I personally like ipfilter, but it is extremly hard to sell it executives who sign the cheques when ther eis no official support from the vendor (ie - 24/7 by phone, etc...), thus I have to use commercial products like fw-1, pix and others. Darren Mackay _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Attachment:
andy.vcf
Description: Card for Andy Smith
Current thread:
- RE: Firewall Throughput, (continued)
- RE: Firewall Throughput JVBrown (Sep 13)
- RE: Firewall Throughput Robert Purdy (Sep 13)
- Re: Firewall Throughput Darren Reed (Sep 13)
- RE: Firewall Throughput Aaron Turner (Sep 14)
- RE: Firewall Throughput Robert Purdy (Sep 16)
- RE: Firewall Throughput Chris Cappuccio (Sep 14)
- Re: Firewall Throughput Christopher Nielsen (Sep 13)
- Re: Firewall Throughput Patrick Darden (Sep 14)
- Plan9 (was Re: Firewall Throughput) Christopher Nielsen (Sep 16)
- Re: Firewall Throughput Carson Gaspar (Sep 12)
- Re: Firewall Throughput Andy Smith (Sep 12)
- Re: Firewall Throughput Patrick Darden (Sep 06)
- RE: Firewall Throughput Robert Purdy (Sep 08)