Re: Firewalls that generate new packets..

[Timothy Shea <tim () tshea net>]

Hi Kelly,

Lets say I am kind of disappointed.  I figured that your question kick  
off a "proxy" versus "everything else" type "discussion".  It didn't .  
Ah the 90s.... good times good times...

What I believe you are referring too when you talk about "generate a  
new packet ... " is a proxy firewall.  This is a piece of code that  
will take the original packet, suck out the contents, (the content may  
be inspected at this point but rarely happens), build a new packet,  
blow the content back into the new packet, and send it along its way  
(assuming it meets other criteria such as being allowed, valid, etc).   
Commercial examples of this type of firewall are Sidewinder or  
Symantec Enterprise Firewall (formally known as Raptor).  The other  
type of firewall (and market leader) would be "stateful".  Examples of  
this would be Checkpoint, Pix (ASA), and pretty much every kitchen  
appliance these days.

What would be the advantage of this approach?  Well - the primary  
advantage would be that there is no "direct" path to the service that  
you need to talk to.  This is helpful especially in the days where IP  
stacks were poorly written and attacks against them were more  
realistic.  If you use an application specific proxy (http, smtp, etc)  
then you have an improved level of packet validation.  This could be  
helpful to protect against potential unknown attacks against  
applications.  There are a few more but I don't think they are that  
relevant.

What would be a disadvantage?  Some say performance.  I never bought  
that argument.  Its a sizing issue.  The firewalls I've dealt with  
that handled the highest amount of packets were proxies.  Other say  
price.  This is a true argument - commercial proxy firewalls were  
traditionally a higher pricepoint than their stateful counterparts.

I've done a lot of firewall conversions in the last few years.   The  
primary reason organizations cited as a reason to move away from proxy  
firewalls was management.  If you have to manage more than, say, one  
firewall - the management interfaces of the two market leaders in the  
proxy space have always fallen down (read: royally sucks).  Checkpoint  
has always done a better job at this.  And organizations like the  
familiarity of the Pix (ASA) because everything else they have are  
Cisco devices.  Whether its a better option in "securing" whatever you  
are trying to "secure" rarely enters the discussion.

In the end, stateful and proxy firewalls will both do the job that we  
ask firewalls to do and are only one component of an overall security  
architecture.

cue "discussion"

t.s

On Nov 13, 2007, at 9:58 PM, Kelly Robinson wrote:

> Some firewalls, after receiving a packet, generate a new packet and  
> populate it with data from the original, rather than forwarding the  
> same packet that was received. What are the advantages and  
> disadvantages of this approach? And does anyone have any examples of  
> any firewalls that do this on the market?
>
> Thanks
>
> - k
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards