Re: firewall question

[dr.kaos <dr.kaos () kaos to>]

On Friday 15 February 2002 10:45 am, Ralph Los wrote:
> All,
>
>       I am currently in the process of testing CyberGuard's firewall(s),
> which claim to be packetfilter + proxy based.  I am looking for someone
> outside my lab (external) to partner with in conducting strenuous testing,
> with some extensive 'packet crafting' attacks, etc.
>
> Cheers!  Response is appreciated...

Be happy to help if I can put my hands on a CyberGuard box, however, I must 
say that I'm a bit skeptical of any product that tries to bridge the 
functionality gap of a proxy and stateful filter.  Granted, i've never 
implemented a CyberGuard box, but the benefits of each firewalling 
methodology are so distinctly different, and are likely better offered by a 
heterogeneous combination of multiple firewalls than by a box that tries to 
"do it all."

That certainly isn't to say that someone couldn't prove me wrong, but I 
suspect that CyberGuard's "SmartProxies" are very similar in design to 
CheckPoint's "Security Servers" -- poorly designed content filtering 
mechanisms designed to overcome the basic limitations of filtering traffic 
without validating application layer content. I hope I offend no one in 
saying so (I don't suspect that I will, though, as numerous CheckPoint 
employess have shared with me their similar views on their own Security 
Servers), but I really don't think these stateful firewall vendors should be 
trying to put proxies on their boxes. IMHO: let the stateful firewall do one 
thing very well, and leave the proxying to a vendor with the expertise in 
writing proxies.

./dr.kaos

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/