Firewall Wizards mailing list archives
Re: COmpare Firewalls
From: "Dameon D. Welch" <dwelch () best com>
Date: Wed, 8 Sep 1999 08:52:13 -0700
An application layer filter can not protect your OS against certain DOS attacks such as a Ping of Death. A ping of death causes problems at the IP stack, which an application can not effectively protect. An application can filter based on IP addresses, but it's more like an access list for the application (like TCP Wrappers) versus kernel-level packet filtering. A packet filter can look at an entire packet and, with stateful capabilities, can even keep track of a session. Properly configured, it can protect the OS from attacks that otherwise would crash the IP stack. But even a stateful packet filter has problems with things like content filtering and authentication, which really require user-level processes to be efficient. (This is why both technologies exist in most commercial firewalls) Someone on the list suggested that MS-Proxy may, in fact, do some packet filtering. I guess I don't know for sure since it's been quite a while since I touched an MSProxy box. I do know that Microsoft is adding some functionality to MSProxy that would make it more firewall-like, at least if you believe the trade press. -- PhoneBoy On Wed, Sep 08, 1999 at 06:01:29AM -0700, Joe Ippolito wrote:
So what I here you saying is that MS Proxy uses an application-level packet filter that is less secure than a kernel-level packet filter? Can you site an example and say why? Wouldn't either one have to get in front of the OS to filter incoming packets?
Current thread:
- COmpare Firewalls TUDOR PANAITESCU (Sep 01)
- RE: COmpare Firewalls Joe Ippolito (Sep 07)
- <Possible follow-ups>
- Re: COmpare Firewalls dwelch (Sep 06)
- RE: COmpare Firewalls Joe Ippolito (Sep 07)
- Re: COmpare Firewalls Dameon D. Welch (Sep 07)
- RE: COmpare Firewalls Joe Ippolito (Sep 08)
- Re: COmpare Firewalls Dameon D. Welch (Sep 08)
- RE: COmpare Firewalls Joe Ippolito (Sep 09)
- Re: COmpare Firewalls Darren Reed (Sep 09)
- RE: COmpare Firewalls Joe Ippolito (Sep 09)
- RE: COmpare Firewalls Joe Ippolito (Sep 07)
- Re: COmpare Firewalls Crispin Cowan (Sep 10)
- Re: COmpare Firewalls Darren Reed (Sep 10)