Hi Aza,
Application proxy's CAN be more secure for a couple of reasons:
- The proxy should interpret the contents of the packet (eg: read the HTTP
GET commands) to ensure that they are valid. They CAN do checks to confirm
that the contents of the packet conform to the appropriate RFC etc before
passing the request to the internal server
- Because the proxy terminates the connection from the client, and generates
a new one from the proxy to the server, the actual IP packets from the
client never pass through to the server. So if people play tricks with
fragments or undocumented IP fields the internal server never sees them.
A packet filter only works on port numbers. If you allow connections on port
80 through the firewall to your web server, the firewall will only check the
source and destination IP addresses and port numbers, and allow the packet
through. So if the packets have been intentionally fiddled with in some way
the 'fiddled' packet will get to the server.
> -----Original Message-----
> From: Aza Goudriaan [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, April 13, 2000 5:01 PM
> To: [EMAIL PROTECTED]
> Subject: Packet Filtering vs. Proxy
>
> Hi,
>
> At this moment I'm configuring a firewall for my little test network (it
> is
> for educational reasons). The services I like to run are www and mail.
>
> 1. When reading abount packet filtering and proxies, everybody says that a
> proxy gives more security than (stateful) packet filtering. Can you
> explain
> why?
>
> 2. When testing my server by online port scanners, I don't see any
> difference when I turn on or off the firewall. Is it always necessary to
> use
> a firewall, when only using www (outbound; no webserver in network)? (I'm
> using a Windows workstation and do www via a Novell NetWare 5 server,
> running NAT). In that situation (only outbound www), there are no open
> ports, aren't they? Then it's impossible to connect to any port on my
> Novell-machine?
>
> Thanks in advance,
> Aza Goudriaan,
> student
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
