Proxy firewalls create a new sessions for a connection. One session is
between client and firewall; the second is between firewall and server. It
then examines the session for conformance to the RFC's, normalizes
character sets, catches buffer overflows etc.. So, for example, a proxy
firewall could prevent Nimda attacks on servers because it would already
convert unicode strings to correct characters before IIS saw it (although
many proxy firewalls did not do this, some did).
A stateful inspection firewall does not examine the contents of packets,
only the headers (although it does keep track of TCP state to catch of
packet sequence spoofing etc.). It does not normally look at actual
contents of packets so it would allow FTP over a DNS port without batting
an eye. FW-1 has a full proxy for HTTP to handle this, but the stateful
inspection firewall does not. Of course a proxy also handles all the
filtering features of a stateful inspection firewall. NAT is inherent in
the structure and the problem sometimes arises that it takes special
effort to allow the same IP to be used for both sides of the stream.
Even if a proxy firewall is only using a null proxy (not actually
examining the contents), it still regenerates the stream, preventing
sequence number attacks, fragmentation attacks etc. so is better than
stateful inspection.
But this dual stream approach comes at the price of more processing and
more latency.
With modern CPU's, they can generally handle the actual data flow, but
they pause at the front for a time giving them more latency.
kk downing said:
I agree with your observations on marketing-fueled
economies but my question is whay is a proxy firewall
inherently more secure than stateful inspection. I
haven't used the Guantlet but it sounds labor
intensive.
Bill Royds
Acting System Administrator,
Canadian Heritage Information Network
(819) 994-1200 X 239
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
