Re: COmpare Firewalls

["Dameon D. Welch" <dwelch () best com>]

An application layer filter can not protect your OS against certain DOS
attacks such as a Ping of Death. A ping of death causes problems at the
IP stack, which an application can not effectively protect. An application
can filter based on IP addresses, but it's more like an access list for
the application (like TCP Wrappers) versus kernel-level packet filtering.

A packet filter can look at an entire packet and, with stateful capabilities,
can even keep track of a session. Properly configured, it can protect the
OS from attacks that otherwise would crash the IP stack. But even a stateful
packet filter has problems with things like content filtering and
authentication, which really require user-level processes to be efficient.

(This is why both technologies exist in most commercial firewalls)

Someone on the list suggested that MS-Proxy may, in fact, do some packet
filtering. I guess I don't know for sure since it's been quite a while
since I touched an MSProxy box. I do know that Microsoft is adding
some functionality to MSProxy that would make it more firewall-like,
at least if you believe the trade press.

-- PhoneBoy

On Wed, Sep 08, 1999 at 06:01:29AM -0700, Joe Ippolito wrote:

> So what I here you  saying is that MS Proxy uses an application-level packet
> filter that is less secure than a kernel-level packet filter?  Can you site
> an example and say why?  Wouldn't either one have to get in front of the OS
> to filter incoming packets?