On Fri, 5 Apr 2002, Darryl Luff wrote: > Every text book says that proxy firewalls are more secure than stateful > packet filters.
That's because they mostly have the same failure modes in common, and less overall. > In practice, how much checking does a proxy firewall actually do? I know > I could connect through the http proxy on our old gauntlet firewall from > the internet, and by typing "GET http://mailserver:25/ HTTP/1.0" I could > get a connection to our internal mail server and send email. So it > obviously doesn't do much checking at the application layer. Right, how much checking is done is implementation dependent (but look at the number of proxies that can filter ActiveX versus the number of filters that can.) Also, many protocols allow tunneling- that's not always necessarily controllable by the proxy (which is why protocol evaluation used to be a requirement for passing new protocols back in the days when application layer gateways were popular.) > There are ways to configure the firewall to stop this, like not using > the http proxy! But unless you know about this 'feature' it's easy to > get caught by it. How many more of these 'features' exist in your firewall? HTTPS is the worst one, even almost all of the proxy firewalls relay it instead of proxying it. > I believe that in practical terms the security of a firewall (or > anything else) is governed more by the level of expertise of the person > configuring it than it's internal architecture. There are things you can't protect against at the layer of a packet filter without mainting massive state tables, lookup tables, etc. or denying traffic that application layer gateways protect against by default. > The administrator of a stateful packet filter who knows it inside out is > likely to have it configured much more securely than someone with an > EAL4 accredited firewall who only knows what's in the manual. You're assuming that the stateful filter has the feature set to be so configured for the protocols it's passing, unless you're considering just state, and then keeping state either breaks or works poorly for some sets of protocols. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
