On Tue, 23 Jan 2001, Bill Royds wrote:
> Stateful Inspection watches the stream including some protocol monitoring and
>matching outgoing and incoming packets. But it doesn't re-create the stream like a
>full proxy does to allow full syntax checking. It does a bit more that just maintain
>TCP state or match ports and IP IDs like a simple stateful filter (versus a stateless
>filter that does not match packets to a conversation).
> There is a kind of hierarchy of firewalls
> NATting router - Modifies destination addresses for private
>networking
> Stateless Packet filter - Checks ports and flags on a packet by packet
>basis
> Statefull Packet filter - Matches packets by sockets (in to out)
> Stateful Inspection - Watches the contents as well(doesn't change
>flags etc.)
> Application Proxy - Recreates contents of incoming to
>outgoing with 2 streams
>
> As you go down you get a bit more safety but do more work so lose speed. Also not
>all application gateways really handle the TCP/IP stack hardening as well as packet
>filters do. All of them are tools that have place in perimeter defence but none is a
>magic bullet. FW-1 in the middle is very popular because it tends to balance speed
>and safety but I really wouldn't want to use it to protect too many desktops running
>Win95.
>
Can you clarify the last statement for me? Whay was the significance here
of M$ machines?
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
