Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: stealth firewalls

From: "Volker Tanger" <volker.tanger () discon de>
Date: Thu, 17 Jan 2002 09:53:15 +0100
Greetings!

Irwin Lazar wrote:


I'm reading up a bit on stealth mode firewalls and was wondering what the
industry view is toward these types of boxes.  From my research, stealth
mode firewalls act as LAN switches or bridges, and do not actively modify
the packets they process (such as decrementing TTL).  Is this correct?



Usually bridges, yes.




It seems there are some obvious advantages to stealth mode firewalls since
they are completely hidden at the IP layer, but I'm wondering if there are
any significant drawbacks.
One major drawback is that they - by their very concept - don't do routing. If you have more than 2 interfaces ("inside" and "outside") that is a major problem. Plus you then need a lot of routers. One of our multi-network customers has 10+ networks in the same house to be separated - one multi-NIC non-stealth firewall - or one stealth FW plus 10+ routers. Guess what is easier to manage...
Second problem is doing VPN - or: not! Without a (visible) VPN peer there is no VPN to be established. 


> It seems that products are limited, only Sun's
> SunScreen & BSD Linux support this functionality.

Lucent Bricks are appliances.


--

Volker Tanger  <volker.tanger () discon de>
 Wrangelstr. 100, 10997 Berlin, Germany
    DiSCON GmbH - Internet Solutions
         http://www.discon.de/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: