Let's be a bit more specific.
An Application gateway makes your network more vulnerable to *some*
kinds of attack, and a packet filter makes your network more vulnerable
to *some* kinds of attack (Each compared to the other).
If you are saying that there are some attacks for which an application gateway leaves you vulnerable that a packet filter doesn't... well maybe I am tired (leaving myself a not-so-graceful out), but I don't think so. Maybe it is semantics. Would you be specific?
The old fashioned "Make 'em go for someone easier..."
Of course. I assume by "old fashioned" you mean "tried and true." As most of the attacks on the Internet are replays of old fashioned attacks, and as "make 'em go for someone easier" still works well for many, it makes sense to me.
The major difference between bastion host and packet filter is to do
with network design. I like packet filters and a DMZ because it makes
*my* current network design "fit" easier. We have hosts we want the net
to have access to, and it's simply easier for me to use a DMZ, and
rebuild the box if/when it gets trashed.
I like a packet filter on the outside and a stronger, less permissive firewall on the inside, with a DMZ with hardened servers in between. But "rebuild the bos if/when it gets trashed" is somewhat chilling, or should be to some. A trashed system? Loss of revenue, reputation, stock value, customers, and -- in some places and depending on what the trashed system was used for -- possible legal liability.
Fred
