[4855] in WWW Security List Archive
Re: Packet Filters or Proxy Firewalls?
daemon@ATHENA.MIT.EDU (Vinnie Vedi Dolavimus)
Wed Mar 19 23:00:22 1997
Date: Wed, 19 Mar 1997 20:46:36 -0500 (EST)
From: Vinnie Vedi Dolavimus <sfuze@escape.com>
To: Simon Yeo <syeo@cs.stanford.edu>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.GSO.3.94.970318204719.19580I-100000@Xenon.Stanford.EDU>
Errors-To: owner-www-security@ns2.rutgers.edu
First things first -- having a packet filtering router alone is really
about as much security as having no security at all.
Second, proxy servers -- at this point in time there are more advanced
and applicable firewall systems, especially for a distributed environment
like you would probably need. Most of the major vendors are moving away
from proxy servers if they haven't already... you're probably better off
with something using stateful inspection (basically checks state and
context of everything), so you don't have to have a separate proxy for
every service you want to implement (proxy servers basically usually only
support the 5 basic ones anyway (web, ftp, mail, etc.) -- and it sounded
like you were considering putting that out of your firewall anyway
(although i wouldn't recommend that, esp. considering how easy it is to
hack email and webpages nowadays). The other good thing about stateful
inspection is that it makes response times and performance much better
and you can scale later on... i think that is where firewalls are going,
or will be soon.
hope this has been some help,
Millie.
sfuze@escape.com
On Tue, 18 Mar 1997, Simon Yeo wrote:
>
>
> Hello,
>
> We're looking to set up an interior firewall for our internet network
> mainly consisting of NT machines. We already have an exterior firewall
> set up, and will put our web, mail, and dns servers in the perimeter zone
> (between the two firewalls).
>
> I have had some experience with packet filtering routers (CISCO), so I'm
> inclined to purchase a similar router for the firewall. Before I do that,
> I need some opinions on why I should choose a proxy firewall instead of a
> simple packet filtering router, and visa versa. Things to consider are:
>
> 1) Cost
> 2) Performance
> 3) Management cost (maintenance)
> 4) Level of security
> 5) etc.
>
> Thanks in advance,
>
> ----
> Eclipse Technical Group
> Sr. IS Specialist
> Simon Yeo
>
>
>
