Firewall Wizards mailing list archives
RE: COmpare Firewalls
From: "Joe Ippolito" <joe () joesnet com>
Date: Wed, 8 Sep 1999 21:49:33 -0700
MS is apparently of the opinion that their packet filter is more effective than third party firewalls on NT. See: http://www.microsoft.com/proxy/Comparisons/CompMatrix.asp?A=4&B=2 They even go so far as to say "... Proxy Server is as secure as other firewall products available today..." With what they have at stake making such a claim, I cannot imagine a packet filter written by a third party being any more effective. If you think we can prove otherwise maybe there is some money to be made? I believe that most packet filters by reputable organizations are effective and it is the person configuring it that puts the machine/network at risk. Back to Tudor's original objective: "I am trying to convince the people in the IT dept. here that they should get rid of the Microsoft Proxy" And his question: "Can anybody point me to a site with some information about the poor reliability/security/etc. of M$ Proxy?" It is my opinion that Tudor should concentrate on features that his organization needs and that MS Proxy cannot provide. Examples would be static address translation, ICMP, and a fully functional DMZ. I believe he will be wasting his time looking for MS Proxy's security deficiencies. If he finds any, M$ has the coders to fix it in a hurry. Are you still teaching FW-1 classes? If so where? I may have more people to send. -----Original Message----- From: Dameon D. Welch [mailto:dwelch () best com] Sent: Wednesday, September 08, 1999 8:52 AM To: joe () joesnet com Cc: firewall-wizards () nfr net Subject: Re: COmpare Firewalls An application layer filter can not protect your OS against certain DOS attacks such as a Ping of Death. A ping of death causes problems at the IP stack, which an application can not effectively protect. An application can filter based on IP addresses, but it's more like an access list for the application (like TCP Wrappers) versus kernel-level packet filtering. A packet filter can look at an entire packet and, with stateful capabilities, can even keep track of a session. Properly configured, it can protect the OS from attacks that otherwise would crash the IP stack. But even a stateful packet filter has problems with things like content filtering and authentication, which really require user-level processes to be efficient. (This is why both technologies exist in most commercial firewalls) Someone on the list suggested that MS-Proxy may, in fact, do some packet filtering. I guess I don't know for sure since it's been quite a while since I touched an MSProxy box. I do know that Microsoft is adding some functionality to MSProxy that would make it more firewall-like, at least if you believe the trade press. -- PhoneBoy On Wed, Sep 08, 1999 at 06:01:29AM -0700, Joe Ippolito wrote:
So what I here you saying is that MS Proxy uses an application-level
packet
filter that is less secure than a kernel-level packet filter? Can you
site
an example and say why? Wouldn't either one have to get in front of the
OS
to filter incoming packets?
Current thread:
- COmpare Firewalls TUDOR PANAITESCU (Sep 01)
- RE: COmpare Firewalls Joe Ippolito (Sep 07)
- <Possible follow-ups>
- Re: COmpare Firewalls dwelch (Sep 06)
- RE: COmpare Firewalls Joe Ippolito (Sep 07)
- Re: COmpare Firewalls Dameon D. Welch (Sep 07)
- RE: COmpare Firewalls Joe Ippolito (Sep 08)
- Re: COmpare Firewalls Dameon D. Welch (Sep 08)
- RE: COmpare Firewalls Joe Ippolito (Sep 09)
- Re: COmpare Firewalls Darren Reed (Sep 09)
- RE: COmpare Firewalls Joe Ippolito (Sep 09)
- RE: COmpare Firewalls Joe Ippolito (Sep 07)
- Re: COmpare Firewalls Crispin Cowan (Sep 10)
- Re: COmpare Firewalls Darren Reed (Sep 10)