On Mon, 21 Feb 2000, Chris Brenton wrote:
> Dave Harris wrote:
> >
> > I take your point about defense in depth, however, I'm of the opinion
> > that routers should route and firewalls should firewall. If your
> > firewall can't stop evil packets getting into your network then get
> > one that does. Isn't that the point?
>
> I still cringe every time I see this in print. ;)
An interesting aside both 3Com and Cisco have had their routers certified as
firewalls (see http://WWW.ICSA.NET/html/certification). You will also find
definitions for an Internet Firewall, Network Firewall, etc. in the Firewall
Buyer's Guide.
The following are the three basic types of firewall and what are often given
as examples of the class.
Packet Filter Cisco IOS
Application Proxy Gauntlet
Stateful Inspection Firewall-1
With the exception of packet filtering routers, I doubt that you can find
any firewalls today that haven't adopted technologies from the other
classes.
> > Could you tell me your arguments for and against re router filtering or direct me
> > to some literature on the subject?
>
> The same principles apply to perimeter security. A single firewall
> provides a single layer of security. If there are any bumps, glitches or
> gotcha's in the code, then you leave yourself vulnerable to attack. I
> have yet to see a firewall that has gone through public scrutiny and
> come out the other side as 100% perfect and infallible.
>
> By deploying two or more layers of perimeter protection, you hedge your
> bets. If one layer has a tiny hole, chances are you can plug it with the
> second layer. Also, some security measures (like broadcast mapping and
> source routing) are actually easier to deal with at the on a router.
If you are absolutely not going to allow a particular protocol; e.g.
Microsoft RPC, NetBIOS Name Service, NetBIOS Datagram, NetBIOS Session, Sun
RPC, NFS, etc.; why not use the packet filtering in the router dispose of
the packet? It eliminates the overhead of buffering packets and packet
re-assembly that must be done in your application proxy or stateful
inspection firewall.
Merton Campbell Crockett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
