Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: Timothy Shea <tim () tshea net>
Date: Sat, 17 Nov 2007 11:14:14 -0600
Hi Kelly, Lets say I am kind of disappointed. I figured that your question kick off a "proxy" versus "everything else" type "discussion". It didn't . Ah the 90s.... good times good times... What I believe you are referring too when you talk about "generate a new packet ... " is a proxy firewall. This is a piece of code that will take the original packet, suck out the contents, (the content may be inspected at this point but rarely happens), build a new packet, blow the content back into the new packet, and send it along its way (assuming it meets other criteria such as being allowed, valid, etc). Commercial examples of this type of firewall are Sidewinder or Symantec Enterprise Firewall (formally known as Raptor). The other type of firewall (and market leader) would be "stateful". Examples of this would be Checkpoint, Pix (ASA), and pretty much every kitchen appliance these days. What would be the advantage of this approach? Well - the primary advantage would be that there is no "direct" path to the service that you need to talk to. This is helpful especially in the days where IP stacks were poorly written and attacks against them were more realistic. If you use an application specific proxy (http, smtp, etc) then you have an improved level of packet validation. This could be helpful to protect against potential unknown attacks against applications. There are a few more but I don't think they are that relevant. What would be a disadvantage? Some say performance. I never bought that argument. Its a sizing issue. The firewalls I've dealt with that handled the highest amount of packets were proxies. Other say price. This is a true argument - commercial proxy firewalls were traditionally a higher pricepoint than their stateful counterparts. I've done a lot of firewall conversions in the last few years. The primary reason organizations cited as a reason to move away from proxy firewalls was management. If you have to manage more than, say, one firewall - the management interfaces of the two market leaders in the proxy space have always fallen down (read: royally sucks). Checkpoint has always done a better job at this. And organizations like the familiarity of the Pix (ASA) because everything else they have are Cisco devices. Whether its a better option in "securing" whatever you are trying to "secure" rarely enters the discussion. In the end, stateful and proxy firewalls will both do the job that we ask firewalls to do and are only one component of an overall security architecture. cue "discussion" t.s On Nov 13, 2007, at 9:58 PM, Kelly Robinson wrote:
Some firewalls, after receiving a packet, generate a new packet and populate it with data from the original, rather than forwarding the same packet that was received. What are the advantages and disadvantages of this approach? And does anyone have any examples of any firewalls that do this on the market? Thanks - k _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls that generate new packets.. Kelly Robinson (Nov 14)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 17)
- Re: Firewalls that generate new packets.. John Adams (Nov 17)
- Re: Firewalls that generate new packets.. Matthew Hannigan (Nov 17)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 17)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 19)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 17)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 17)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 19)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 19)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 21)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 23)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 23)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 21)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 23)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 23)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 23)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 23)
- Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 25)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 25)