firewalls != IDS, they are seperate beasts, each requiring their own care and feeding. They should not be confused with one another for sure <smile>.
Thanks, Ron DuFresne On Thu, 4 Apr 2002, kk downing wrote: > Interesting. Does the Gauntlet have the ability to act > on these violations, like nimbda or FTP over DNS or do > you need a seperate IDS to take care of that. Anyway I > thought the job of the IDS was to do that sort of > inspecting anyway but if a FW-1 supports natively like > that it seems pretty cool and I am wondering why > someone would be inclined to switch vendors if that > was in fact the case. Can you elborate on problems > that arise from NAT and using the same IP on both > sides of a stream? That part confused me. > --- [EMAIL PROTECTED] wrote: > > Proxy firewalls create a new sessions for a > > connection. One session is > > between client and firewall; the second is between > > firewall and server. It > > then examines the session for conformance to the > > RFC's, normalizes > > character sets, catches buffer overflows etc.. So, > > for example, a proxy > > firewall could prevent Nimda attacks on servers > > because it would already > > convert unicode strings to correct characters before > > IIS saw it (although > > many proxy firewalls did not do this, some did). > > A stateful inspection firewall does not examine the > > contents of packets, > > only the headers (although it does keep track of TCP > > state to catch of > > packet sequence spoofing etc.). It does not normally > > look at actual > > contents of packets so it would allow FTP over a > > DNS port without batting > > an eye. FW-1 has a full proxy for HTTP to handle > > this, but the stateful > > inspection firewall does not. Of course a proxy also > > handles all the > > filtering features of a stateful inspection > > firewall. NAT is inherent in > > the structure and the problem sometimes arises that > > it takes special > > effort to allow the same IP to be used for both > > sides of the stream. > > Even if a proxy firewall is only using a null > > proxy (not actually > > examining the contents), it still regenerates the > > stream, preventing > > sequence number attacks, fragmentation attacks etc. > > so is better than > > stateful inspection. > > But this dual stream approach comes at the price > > of more processing and > > more latency. > > With modern CPU's, they can generally handle the > > actual data flow, but > > they pause at the front for a time giving them more > > latency. > > > > > > kk downing said: > > I agree with your observations on > > marketing-fueled > > economies but my question is whay is a proxy > > firewall > > inherently more secure than stateful inspection. I > > haven't used the Guantlet but it sounds labor > > intensive. > > > > > > > > > > Bill Royds > > Acting System Administrator, > > Canadian Heritage Information Network > > (819) 994-1200 X 239 > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Tax Center - online filing with TurboTax > http://taxes.yahoo.com/ > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
