Re: Proxies, opensource and the general market: what's wrong with us?

[ArkanoiD <ark () eltex net>]

On Fri, Apr 29, 2011 at 10:22:45AM +0200, Claudio Telmon wrote:
> Proxies have been mostly put on top of an operating system's tcp/ip
> stack, but I wouldn't say that this is a benefit, it's just simpler. 

Actually it *IS* a benefit. By eliminating direct packet flow you do not
need to care about bad things sneaking in TCP and below,  actually it is the only
way to *reliably* ensure that we see similar data on the firewall and the endpoint.

> Also, having more devices (e.g. separating a packet filter from a proxy,
> and from a VPN concentrator, etc.) means more complexity and more
> errors/bugs.

Sometimes it is just more reliability, depends on how you do implement that :-)

I see little to no reason to combine VPN concentrator and firewall in the single box,
despite the fact it is most popular way to do it.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards