[EMAIL PROTECTED] wrote: > > Proxy firewalls create a new sessions for a connection. One session is > between client and firewall; the second is between firewall and server.
This is all true and good. > It then examines the session for conformance to the RFC's, normalizes > character sets, catches buffer overflows etc.. C>N@K *cough* PLEASE give me an example of a proxy firewall that actually DOES all of this for even one single protocol, let alone for more than one protocol. > preventing sequence number attacks, fragmentation attacks etc. > so is better than stateful inspection. Except of course for attacks that could "only" result in DoS, and take down the proxy firewall with it (since they tend to live on full-blown multi-user OS:es like Solaris, NT, etc), rather than just "some" machines behind a stateful inspection firewall that does not know to protect against things like this. (Although this argument is getting somewhat old now, since stateful inspection firewalls in general catch atleast most of these attacks, and proxy firewalls are immune to them as long as the administrator remembers to apply the latest OS security patches.) Can I counter some now? :) Please show me how to divide a corporate network, with multiple publically accessible servers with different security ratings, and with back-end servers accessible from said servers, into ... oh, let's say fifty different security zones, using any proxy firewall available today. (I myself lean towards designing networks with one such server per firewalled segment. It makes for very nice defense in depth and damage control.) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
