RE: Firewall Throughput

[Ben Nagy <bnagy () sa volante com au>]

> -----Original Message-----
> From: Andy Smith [mailto:andy () centralworks com]
> Sent: Monday, 11 September 2000 11:44 AM
> To: Darren Mackay
> Cc: firewall-wizards () nfr net
> Subject: Re: [fw-wiz] Firewall Throughput
>
>
> Here is a quote from a paper written in '98 written by Fred Avolio:
>
> "As security expert Bill Stout wrote [...ALGs good...]

Wow. Any news on what Bill Stout's cousin's dog thinks about this issue? [1]


> Anyone really concerned about security that owns a PIX (or any packet
> filtering, stateful inspecting device) [snip]

The Application Level Gateway is a good _model_. However, remember that it's
only a model. People that design security solutions these days have much
more choice. I can run, say, IPFilter at my border, and then run five NICs
out of it, which connect to my box which runs djbdns, my box which runs
qmail, my box which runs squid, my box which runs the SuSE ftp-proxy[1] etc
etc etc. This gives me lots of desirable security benefits, but I'm not
running an ALG firewall.

What I have (hypothetically) done is select best of breed gateway solutions
for various protocols instead of taking one clump from a vendor. I would
suggest that the single ALG approach - eg Gauntlet - is actually a
suboptimal implementation of the ALG model.

> Andy Smith

Cheers,

[1] No offense to Bill or Fred, who I know are clueful. I'm objecting to
thirdhand quoting, not the content of the extract.
[2] I just wouldn't run it on SuSE! Sorry, guys. ;)
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520  

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards