Are you comparing a PIX firewall to a router with ACLs?- wow.... not sure I can even start to help you out there....
One thing I can clear up is that the way router memory and processing deals with ACLs is very inefficient compared to most stateful inspection firewalls deal with their rule set- this is why the performance is 'generally' much better. Also, a proxy firewall, while inherently more secure, is not always all it's cracked up to be. Theoretically, a proxy firewall has the advantage of being able to recognize and determine 'legal' application calls, sequences, etc; thereby disallowing inappropriate activity. However, most proxy firewalls allow too much 'slack' in their application support because they either can't implement the specific application parameters or purposely don't because it's too difficult to pin down what is 'appropriate' in terms of an application (this is the reason that most IDS systems report so many false positives); performance comes into play as well in these tradeoffs. Also, by virtue of being an 'application-based' system, many of these proxy firewall systems are vulnerable themselves. We have found, through real-world experience, that the best combination for security and functionality is a stateful-inspection firewall system with the appropriate IDS systems inside it and a properly configured perimeter router implementation outside of it. Generally, we have found this to be the case, but we have done some specific implementations of proxy technology where it was appropriate to the specific application(s) being run. Saying that "all these stateful inspection/packet filter technologies work at too low a level" sounds like you may be missing the forest for the trees- these technologies are often effectively deployed in a comprehensive mult-layer solutions for enterprise security. -----Original Message----- From: Phil Kramer [mailto:[EMAIL PROTECTED]] Sent: Friday, September 28, 2001 11:23 PM To: [EMAIL PROTECTED] Subject: Re: Hardware Firewall vs Software Firewall My personal opinion is not hardware vs software, but what firewall is most secure. You can talk about PIX, CheckPoint, Linux with IPtables, IPchains and IPfilters but from a security point of view a pure application proxy is more secure. How many people can notice a 20 ms pause? If you want speed get a router with ACLS, that's what PIX is. All these stateful inspection/packet filter technolgies work at too low a level (layers 2-4) to provide enterprise security. For web servers, mail servers etc. you need layer 7 checking. Phil Kramer, SANS GSEC Systems Solutions Technologies, LLC Phone: 615-646-5766 email: [EMAIL PROTECTED]
