"Paul D. Robertson" wrote: > > [on stateful inspection firewalls needing to know about stuff > that proxies don't] > Ah, but the point still stands that the packet filter has to know about > some frag and other bugs (like URG)- and indeed has to do things like > "drop all packets with URG set" because there might be one unpatched > client (after the firewall's been updated) rather than allow legitimate > URG traffic after the firewall's been patched.
(Or strip URG data, which is what a proxy usually would be doing ;)) Isn't there an interesting flip-side to this? That since the firewall needs to know about all of this (it being properly upgraded and professionally administered and all), it can also trigger alerts on these events? (But on the other hand, the same can also be said about IDSes with external sensors, if this hypothetical organization has paid for it?) > On Fri, 5 Apr 2002, Mikael Olsson wrote: > > Please show me how to divide a corporate network, with > > multiple publically accessible servers with different > > security ratings, and with back-end servers accessible > > from said servers, into ... oh, let's say fifty different > > security zones, using any proxy firewall available today. > > 4 Ultra2's with 3 QFEs each (yes, the U2 is EOL, but that's how I used to > build them.) Lots of PCs with Linux and open source proxies. One box > with lots of proxies and per-ruleset and per-address block IP to proxy > mappings. Alternately, IPSEC to the proxies. That's if you want fair > seperation, otherwise, just do it in the rulebases. Are you telling me that you've actually set up and successfully supported installations like this? (With or without IPSEC to the proxies?) Don't get me wrong; I'm just baffled and would truly like to know. On another note: I think my original question was more aimed at commercially available stuff, although I didn't say that - I know. Open source is all well and good, given the standard set of arguments, but often you also trg gb or fpnerq fuvgyrff ol fbzr crbcyr'f (ynpx bs) pbqvat cenpgvprf. But then again, that's all IMHO and very inflammatory, hence the ebg13. Regards, Mikael Olsson PS. Yes I know, proxy vs state is a really old topic and still very inflammatory and we both know that a combo is the best way to go. However, I still think there are a couple of interesting points left to hash out. I'll try to stay away from evangelism and flames if you do the same, mkay? :) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
