On Wed, 8 Mar 2000, Ng, Kenneth (US) wrote:
> jna wrote:
> > Very few firewalls actually check that the protocol travelling over a
> > particular port -really is- what the port is supposed to be used for.
>
> If this is the case, and I am at least partly inclined to believe it, then
It is. Don't not believe this. You're only fooling yourself.
> why do we have application proxy firewalls at all? I could save a fortune
> switching to CheckPoint or even a Cisco router with filtering.
(save a fortune? what are you running now, nothing?)
Application proxy = complete and total isolation, but they're cheap and
easy to write.
Filtering router = barely any isolation, just drops packets and you have
to let large sections of the port space back in so connections work
(unless using the established keywords under cisco, but a router and
filtering SHOULD NOT be your first line of defense.)
Checkpoint FW1 = screening firewall, that opens ports up on an as-needed
basis. Much better solution.
CheckPoint's a better firewall in this case because it's a screening
router of sorts and only permits what is needed through. Cisco's IOS with
the FW package does nearly the same thing without the pretty GUI.
Of course, the best is still the Lucent Brick, which is a hardware
bridge/router that acts as a screening firewall with much better intrusion
detection and logging.
-john
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
