On Thu, 4 Apr 2002, kk downing wrote: > I agree with your observations on marketing-fueled > economies but my question is whay is a proxy firewall > inherently more secure than stateful inspection. I
This has been hashed and rehashed on this list for *years*, searching around will find megabytes of information on the subject, but briefly- 1. No need to pass DNS to all the clients, eliminating resolver attacks, DNS tunneling, etc. 2. Ditto ICMP without breaking unreachables, etc. 3. IP transport layer issues such as the old URG pointer stuff in Windows products that are unknown by the designer don't get to kill all the "protected clients." 4. Fragment overlap attacks and attempts aren't handled inconsistantly by different "protected" machines since they're all handled by the proxy. 5. No need to worry about sequence number preditiction attacks for thousands of clients, just one host. 6. Potential to "fix" contetent and protocol issues at the proxy instead of normally having to do so at each individual client. There are more, but those are the main ones. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
