Stateful packet inspection is nowhere near enough protection, especially if
"holes" are poked through the firewall to allow public access to services in
a DMZ.
A stateful firewall will allow malicious packets to make it to a vulnerable
server. It inspects the packets up to layer-4, ignoring the "payload" which
extends to layer-7. To offer real world protection, a stateful packet
inspection firewall needs to be supplemented by one or more of the
following:
1) Network intrusion detection system.
2) Server intrusion detection.
3) Content checking proxy (html, email, etc...)
4) Application-level firewall (such as SecureIIS for MS IIS).
5) Network anti-virus protection.
6) Desktop anti-virus protection.
7) Firewall at the desktop.
George Jahchan
Technical Manager
Compucenter
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: "kk downing" <[EMAIL PROTECTED]>
Cc: "Enrique Martin" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; "Bill Royds"
<[EMAIL PROTECTED]>
Sent: Thursday, April 04, 2002 5:03 pm
Subject: RE: Migration from Gauntlet 5 to Firewall-1
Proxy firewalls are slower than stateful inspection and stateful
inspection is adequate for most uses.
It is not security that sells firewalls, but "cover your *ss" for
liability.
Proxy firewalls are also less flexible since they need to have a proxy for
each service, The new whiz-bang application using a new proprietary
protocol is much more difficult to handle in a proxy firewall than
stateful inspection.
Security is not what counts today in sales of internet security
products. It is GUI, flexibility and market share.
Unfortunate, but true.
Bill Royds
Acting System Administrator,
Canadian Heritage Information Network
(819) 994-1200 X 239
kk downing <[EMAIL PROTECTED]>
04/04/02 09:34 AM
To: Bill Royds <[EMAIL PROTECTED]>, Enrique Martin <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
cc:
Subject: RE: Migration from Gauntlet 5 to Firewall-1
Why is a proxy firewall inherently more secure than a
stateful inspection firewall. If this is true why is
the trend towards stateful inspection among leading
firewall vendors? I was under the impression that most
shops were moving away from Gauntlet which it was my
understanding was pretty much a favorite of the
financial industry but not many others.
--- Bill Royds <[EMAIL PROTECTED]> wrote:
> Gauntlet is a proxy firewall and FW-1 uses stateful
> inspection so there are significant logical
> differences between one and the other. Because of
> this it probably not be a good idea to just convert
> the rules. A proxy firewall is inherently more
> secure than a stateful inspection one. So a single
> rule on the Gauntlet may need several FW-1 rules in
> a particular order to achieve the same effect.
> Blowing the order can invalidate the effect of the
> rules.
> I would recommend reviewing your security policy
> with a good FW-1 expert and re-creating the FW-1
> rule set from the beginning to ensure that it still
> covers the same areas that your Gauntlet covered.
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Enrique Martin
> Sent: Wed April 03 2002 05:04
> To: [EMAIL PROTECTED]
> Subject: Migration from Gauntlet 5 to Firewall-1
>
>
> Hi all,
> have do you do a migration of the policies from
> Gauntlet to Firewall-1
> in diferents machines?
> I think that it doesn�t be too much difficult, but I
> would like to have
> some advices from someone who has do it. Somebody
> could help me?
>
> Thanks in advanced.
>
> ------
> Enrique
> --
>
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
