Disclaimer: while I do not work for Check Point, I have purposefully chosen
to work only with Check Point firewalls. My following comments will reflect
this educated bias.
>>packet filters are often very fast ( could even be just a router with
firewall software ). For example a basic Cisco PIX.
>>Stat.. like FW-1 offer more security, but are not as fast.
>>Proxy, are slower then stat... but offers even more security.
>>App... are the slowest, but most secure.
Bunk, complete and total bunk. Well, that's a bit harsh. The first two
lines are accurate but the last two lines are not.
Yes, proxies and application gateways are slower than stateful inspection.
That having been said, they are not more secure than true stateful
inspection. Lance Spitzner had written a great paper, detailing what
semi-intelligent Stateful Inspection really is and how it really works,
(http://www.enteract.com/~lspitz/fwtable.html) so I won't belabor that here.
(By the way, nobody makes truly intelligent Stateful Inspection)
(Incidentally, check out all of Lance's white papers at
http://www.enteract.com/~lspitz/pubs.html)
IMNQSHO Check Point Firewall-1 (particularly now that they have developed
the SVN architecture) is the most secure, most reliable, and definitively
most enterprise scalable, not to mention manageable firewall on the market.
(The letter contains my personal opinion, and only incidentally reflects on
the company I work for)
Nathan A. Long
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
