Firewall Wizards mailing list archives

Re: Firewall Throughput

From: Andy Smith <andy () centralworks com>
Date: Sun, 10 Sep 2000 19:13:36 -0700

Here is a quote from a paper written in '98 written by Fred Avolio:

"As security expert Bill Stout wrote on the firewall mailing list, "The
purpose of a security device is to protect a network, not to be fast. Fast
is what airline travelers want when passing through airport security,
secure is what they want when they
tumble through the air after their plane blows up."

Stateful packet filters may be adequate for low risk Intranets, or in
situations where raw throughput has priority over security.
Application gateways should be the technology of choice for organizations
that are serious about protecting their networks. "

Anyone really concerned about security that owns a PIX (or any packet
filtering, stateful inspecting device) should ask themselves the follow
questions:

Does your firewall do packet fragment reassembly or is the option to
ignore all fragments?
Does your firewall allow external systems to directly touch internal
resources?
Does the 3 way handshake occur before initiating a connection to the
internal host?
How many times have you had to upgrade your firewall?
Which is more important, security or performance?
Why would anyone concerned about security sacrifice security for
performance?

I'll answer the last question:
Because their real concern is performance or....
    they do not understand security.


Andy Smith


Darren Mackay wrote:

Darren,

| What do you value more - throughput or security ?
|
| If you value security, the PIX isn't the answer,
| IMHO.

Are you saying PIX is not secure? Are you able to elaborate? I have
never had any problem with pix, and it certainly has not failed any
'ethical attacks' that haven throwed against it (unlike other vendors,
which can be really esoteric in their configs to get around known
vulnerabilities).

ps - I personally like ipfilter, but it is extremly hard to sell it
executives who sign the cheques when ther eis no official support from
the vendor (ie - 24/7 by phone, etc...), thus I have to use commercial
products like fw-1, pix and others.

Darren Mackay

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Attachment: andy.vcf
Description: Card for Andy Smith

Current thread:

RE: Firewall Throughput, (continued)
- - - RE: Firewall Throughput JVBrown (Sep 13)
    - RE: Firewall Throughput Robert Purdy (Sep 13)
    - Re: Firewall Throughput Darren Reed (Sep 13)
    - RE: Firewall Throughput Aaron Turner (Sep 14)
    - RE: Firewall Throughput Robert Purdy (Sep 16)
    - RE: Firewall Throughput Chris Cappuccio (Sep 14)
    - Re: Firewall Throughput Christopher Nielsen (Sep 13)
    - Re: Firewall Throughput Patrick Darden (Sep 14)
    - Plan9 (was Re: Firewall Throughput) Christopher Nielsen (Sep 16)
    - Re: Firewall Throughput Carson Gaspar (Sep 12)
    - Re: Firewall Throughput Andy Smith (Sep 12)
- Re: Firewall Throughput Rick Murphy (Sep 06)
  - Re: Firewall Throughput Patrick Darden (Sep 06)
- Re: Firewall Throughput Andy W (Sep 06)
- Re: Firewall Throughput bsgupta (Sep 07)
  - RE: Firewall Throughput Robert Purdy (Sep 08)
- RE: Firewall Throughput Mills, Craig (Sep 12)
- Re: Firewall Throughput Chris Calabrese (Sep 12)
- RE: Firewall Throughput Ben Nagy (Sep 12)
- RE: Firewall Throughput Ben Nagy (Sep 12)
- Re: Firewall Throughput Chris Calabrese (Sep 13)

(Thread continues...)