Most users of Win9x are naive about the nature of the Internet and are not aware of
the risks inherent in various Internet services. They will run programs that attempt
to download binary data through HTTP, are easily persuaded to click on executables in
email, etc. A proxy firewall forces connections to be valid for the protocol (but see
Marcus Ranum's recent rants on firewall-wizards about the real efficacy of proxies).
This helps prevent trojans from sending raw binary data through port 80 or
fragmentation attacks through the firewall to the desktop. The logging also tends to
be a bit more thorough so the full URL of an HTTP request is in the logs, one can
limit which NNTP groups can be seen, not just which server can be used etc.
Most application gateways apply their rules in a coverage manner rather than order
based. One defines entities as groups of domains or hosts having certain properties
and then applies rules between these entities. An individual host can be part of
several entities and the rule is applied according to the narrowest entity applicable
with no regard for ordering of rule creation. This allows for the rules to be based on
logical policy rather than dependent of correct order of application.
Since a corporate network may have thousands of machines, each belonging to hundreds
of possible entities, this helps ensure that the rules are applied properly and
reduces the risk of machines falling through the cracks. It can be done in FW-1 but it
takes more than skill in playing with the management console to achieve it.
From: Ron DuFresne [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 26, 2001 18:47
On Tue, 23 Jan 2001, Bill Royds wrote:
> FW-1 in the middle is very popular because it tends to balance speed and safety but
>I really wouldn't want to use it to protect too many desktops running Win95.
>
Can you clarify the last statement for me? Whay was the significance here
of M$ machines?
Thanks,
Ron DuFresne
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
