Every text book says that proxy firewalls are more secure than stateful packet filters.
In practice, how much checking does a proxy firewall actually do? I know I could connect through the http proxy on our old gauntlet firewall from the internet, and by typing "GET http://mailserver:25/ HTTP/1.0" I could get a connection to our internal mail server and send email. So it obviously doesn't do much checking at the application layer. There are ways to configure the firewall to stop this, like not using the http proxy! But unless you know about this 'feature' it's easy to get caught by it. How many more of these 'features' exist in your firewall? I believe that in practical terms the security of a firewall (or anything else) is governed more by the level of expertise of the person configuring it than it's internal architecture. The administrator of a stateful packet filter who knows it inside out is likely to have it configured much more securely than someone with an EAL4 accredited firewall who only knows what's in the manual. So find the simplest firewall you can find that fits your needs, and spend as much time as you can learning how it works! Fei Yang wrote: >Proxy firewall investigates all seven layers information but stateful packet firewall >investigate only layer 3 and some of layer 4, though some vendor adds some >application layer capabilities to their stateful packet firewalls, such as PIX. This >is why proxy firewall is much powerful than statefull filter, it can see all contents >in the packets. And, this is also the reason why proxy firewall is quite slower >compared to stateful firewall. > >Fei. > > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
