Firewall Wizards mailing list archives
RE: PIX sux? (know Stateful vs Application)
From: "Dom De Vitto" <dom () devitto com>
Date: Tue, 28 Dec 1999 19:47:11 -0000
Interesting point Shaun, mybe this has something to do with the first 'firewalls' being commercial products (any comments Marcus?). I think alot of the problems the opensource crew have had have been related to the fact that the goalposts are moving too fast (Linux for one has different kernal firewalling in v2.0, v2.2 and v2.3 !) I was suprised and downhearted when I found out that stateful inspection wasn't available in (v2.2) ipchains. SI is available in IPFilters, but they only work with the v2.0 kernel. The new firewalling in the v2.3 kernel is a rewrite of the IPchains (with the main author admitting that a lot of lessons have been learnt). Though all these variants have backwards-compatible interface commands, these are lacking and aren't 100%. I *do* think that opensource firewalling will 'catch up', it really only a matter of combining the bits we already have. The only thing that *is* missing is a wonder-GUI that gives you everying you need (app proxy setup and log viewing inclusive) in one blob - without exposing the user to the details of the commands required to setup FTP to a FTP server, traceroute, etc. Here's hoping... Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Secure Technologies Ltd. Mob. 07971 589 201 mailto:dom () devitto com Tel. 01202 738 767 http://www.devitto.com Fax. 08700 548 750 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -----Original Message----- From: owner-firewall-wizards () lists nfr net [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Shaun Moran Sent: Monday, December 27, 1999 4:30 AM To: Owner-Firewall-Wizards; Predrag Zivic Subject: RE: PIX sux? (know Stateful vs Application) I agree that Stateful technologies (i.e.: Layer 3) will not stop against application level attacks, but also there are serious risks with Proxy (application Level) technologies if they do not protect the firewall itself against Layer 3 attacks. Application level firewalls could have the ability to stop against application attacks (i.e.: MS RDAC) but how many of them actually do protect against these attacks ??? Most application level Firewalls I know simply relay the HTTP request to the Internal Servers. Both types of Firewalls correctly designed and implemented will protect against the majority of the attacks from the Internet BUT with the technology available today you can't put all your eggs in one basket and relay JUST on the Firewall. You have to think of the whole network and apply security to every part of it (access control, patches, design, etc) As a footnote - both Stateful and application level firewalls are slowly merging into the same thing. Checkpoint have their security servers which are basically application proxies and products like Gauntlet can be configured to only proxy the first couple of packets and then 'route' the remainder using Stateful technologies. I welcome the day when you can put your trust into a firewall to do it all (and some products are getting there) but in my experience that day is still pretty far away. Shaun Actually - I'm really surprised that the open source movement hasn't produced any firewall products that even come close to commercial products. In just about every other software area - the open source version is as good if not better than some of the commercial products (eg: Squid) -----Original Message----- From: owner-firewall-wizards () lists nfr net [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Predrag Zivic Sent: Friday, 24 December 1999 5:28 AM To: Ryan Russell Cc: firewall-wizards () nfr net Subject: Re: PIX sux? (was Re: Start watching your logfiles folks!) Well, --- Ryan Russell <Ryan.Russell () sybase com> wrote:
Since PIX is a network level firewall, there arequitea few OSI levels that can be used to attack you......The PIX can't really touch layer 1, is that what you meant?Although your site is under attack PIX will notreportany errors or stop the unauthorized activity.My FW-1 firewall (which is the same basic technology as the PIX) reports on and protects from quite a few things.
All I am trying to say here is that both FW-1 & PIX will not be able to catch application layer attacks. I don't question the "firewalling" capabilities of FW-1 & PIX or would like to start a discussion on statefull vs. proxy. One would think about application level attacks and bring a different type of technology to support/compliment firewalls. Firewalls (PIX & FW-1) will neither help in all situations nor are a total solution for all Internet based attacks. Pez P.S. One would think about the mail viruses (maybe even better, trojans) that travel over the Internet, although we have firewalls... _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Attachment:
Domenico De Vitto.vcf
Description:
Current thread:
- PIX sux? (was Re: Start watching your logfiles folks!) Ryan Russell (Dec 24)
- <Possible follow-ups>
- Re: PIX sux? (was Re: Start watching your logfiles folks!) Predrag Zivic (Dec 26)
- RE: PIX sux? (know Stateful vs Application) Shaun Moran (Dec 27)
- RE: PIX sux? (know Stateful vs Application) Frederick M Avolio (Dec 28)
- RE: PIX sux? (know Stateful vs Application) David Lang (Dec 28)
- RE: PIX sux? (know Stateful vs Application) Dom De Vitto (Dec 28)
- Re: PIX sux? (know Stateful vs Application) Darren Reed (Dec 30)
- RE: PIX sux? (know Stateful vs Application) Shaun Moran (Dec 27)
- Re: PIX sux? (was Re: Start watching your logfiles folks!) Ryan Russell (Dec 27)