> Try to think in an Web Attack, where a attacker explore a vulnerability
> in a Web Server and open a shell for execute commands. An application
> gateway firewall can stop this kind of attack and this is something a
> packet filter cannot do.
>
> At
> Marlon
Can. They don't always do this however. And you should distinguish between
a static packet filter (a traditional router) and newer intelligent/stateful/
dynamic packet filtering routers/firewalls. Many firewalls today are hybrids
of application level gateways (mail/web/dns/etc proxies) plus some static &
some dynamic/stateful/intelligent packet filtering.
Many low-end application-level and intelligent/dynamic/stateful
packet inspection&filtering firewalls don't actually provide the
highly sophisticated level of application-specific-aware security
protection so you either have to supplement them with separate
external intrusion detection systems or host-based software firewalls on
the Web servers (always a good idea anyway) themselves or both.
Some app-level (proxy) as well as some of the intelligent/dynamic/stateful
packet inspection&filtering firewalls do provide this level of functionality
-- but it means today that they have an intrusion detection system built (or
plugged) into them (along with a database of IDS signatures) and often also
some sophisticated heuristics (to try to find patterns and catch security
events which are not hardcoded in any particular IDS signature).
- H. Morrow Long
Marlon Jabbur wrote:
>
> Hi,
>
> Try to think in an Web Attack, where a attacker explore a vulnerability
> in a Web Server and open a shell for execute commands. An application
> gateway firewall can stop this kind of attack and this is something a
> packet filter cannot do.
>
> At
> Marlon
>
> ----- Original Message -----
> From: Fredy Santana <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, July 24, 2000 10:36 AM
> Subject: Re(2): Poor practice of using a router as a firewall
>
> > Hi Everybody:
> >
> > I had read the discussion and I thought: Well, Let's forget the
> firewalls
> > and let's start to use the IOS Firewall Feature Set in our routers, or
> > simply use the ACL's to mantain our networks secure!! :-). This is
> enough.
> >
> > Now seriously speaking, Does anyone knows a case of a router with
> ACL's
> > penetrated, and if this could be avoided with a traditional firewall
> (like
> > Gauntet, Firewall-1 or Sonicwall)
> >
> > Regards from Chile
> >
> >
> >
> > [EMAIL PROTECTED] writes:
> > >
> > >
> > >Peter Bruderer wrote:
> > >>
> > >> As soon as you let traffic pass your firewall from the outside
> > >> to the inside even if it is just one single service, it does not
> > >> matter what kind of firewall you have. The firewall can just
> > >> reduce the number of ports you are allowed to connect to. But if
> > >> the server you are connecting to is vulnerable on the
> > >> application layer, the firewall cannot stop an attacker.
> > >
> > >Unless the firewall manages to catch the application layer attack,
> > >that is :) No, really, I agree; application layer filtering
> > >is tricky business and noone comes even remotely close to being
> > >good at it these days with the plethora of protocols and
> > >increasing complexity in HTTP & co.
> > >
> > >
> > >--
> > >Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 �RNSK�LDSVIK
> > >Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
> > >Mobile: +46-(0)70-66 77 636
> > >WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
> > >-
> > >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> > >"unsubscribe firewalls" in the body of the message.]
> >
> >
> >
> > Saludos
> > Fredy R. Santana V.
> > Ingeniero Civil El�ctrico
> > Orion 2000 - Servicios Profesionales en Seguridad Inform�tica
> > La Concepcion 322 piso 12, Providencia.
> > Fono: 6403944 - [EMAIL PROTECTED]
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
S/MIME Cryptographic Signature
