I should start out with the fact that I use FW-1, so that gives you
an idea where I stand on the "do as I say, not as I do" issue.
>Which (commonly deployed) protocols would you consider to be 'low risk', and
>potentially adequately served via a stateful packet filter?
Telnet. DNS (though with a recent BIND.. this is kinda a proxy) and any
crypted protocols you decide you want to pass, like SSH, SSL, etc..
I say the crypted protocols not because they're good neccessarily
(though they tend to be better) but because you have no choice but
to SPF/circuit-proxy them.
>Conversely, as I assume it to be an easier question to answer (but maybe
>not...), which handful of protocols (barring those which you should *never*
>contemplate passing to the Internet) are better served by application
>proxies, and what specific benefit is gained from doing so?
HTTP is the obvious choice, because of the potential caching benefits,
because so many things treat it as an underlying transport, and because
that's where the majority of the objectionable material comes in.
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
