On Thu, 17 Jan 2002, Chance Ellis wrote: > I am trying to decide which is better.
They're both good for different reasons, I prefer to deploy both in my firewall solutions. Relying on a single vendor, single technology, or single protection mechanism isn't necessarily a good idea. Hetrogeneous protections enjoy an extended ammount of protection from not having the same flaws. If I choose Cisco for my screening routers, I'm unlikely to choose Cisco for my primary firewall. That's because not only is there a chance that code sharing happens between products (or programmer sharing), but also because that leaves me with no alternatives if I have a major issue with the vendor (no matter which vendor that is)- if I were to deploy a Cisco firewall, I'd want to also deploy someone else's proxy and possibly packet filtering technology. Two of the same thing in a line isn't as protective as two different things in a line. > With a Packet filer (like PIX) you get great > performance and security. Cisco's argument is that App > proxys are not as secure because the security of the > underlying OS is weak. Also, why do you need to go That's an invalid generic argument, the security of the underlying OS is only as relevant as the path for processing data and running the proxies. The same is true of packet filtering. > through layers 4-7? Cisco touts this should not be > part of the job of the firewall. You need to secure That's because Cisco sucks at application layer security- look at the historical issues they've had doing even SMTP. Cisco touts a lot about things they don't offer products on- DWDM was a fine example of that. > your servers from these types of attacks anyway in > case of internal hacks and there are new exploits > coming out everyday. So why not just load the fix on > the servers and leave the firewall alone? There are generally hundreds or thousands of servers, so if you can provide protection at the gateway, the immediacy of server patches is lessened. Also, some things can't be stopped at the server, so having a protection mechanism in place helps tremendously in those cases (think about things like anti-spam measures, content driven attacks...) > Application Proxys are nice because they do this > functionality at the cost of performance though. I've had PPro 200's doing proxy work for a few thousand users for brief periods of time, IMO the performance argument is weak for most traditional firewall uses other than protecting Web servers on a service network. > Also, many security requirements ding the PIX for > their poor logging facility. products like Raptor > provide much more information in their logs. Logs are important for events. So is the ability to filter things like attachment types, URLs, etc- you can do that at the firewall, or at a proxy. You can use routers or hosts to do filtering, and you can use commercial or freeware products to do filtering or proxying. Let's not forget that filters can't protect against transport layer attacks they don't already know about, while proxies just need to not be vulnerable themselves. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
