[4860] in WWW Security List Archive
Re: Packet Filters or Proxy Firewalls?
daemon@ATHENA.MIT.EDU (Jesse Whyte)
Thu Mar 20 17:41:54 1997
Date: Thu, 20 Mar 1997 10:11:59 -0500
From: Jesse Whyte <jesse@eac.com>
Reply-To: jesse@eac.com
To: Simon Yeo <syeo@cs.stanford.edu>
CC: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Simon Yeo wrote:
>
> Hello,
>
> We're looking to set up an interior firewall for our internet network
> mainly consisting of NT machines. We already have an exterior firewall
> set up, and will put our web, mail, and dns servers in the perimeter zone
> (between the two firewalls).
>
Simon,
This is an argument that has been circulating the security community for
a long time. Alot of people get religious on this subject, almost to
the point of UNIX/NT wars. However, I hope I can offer you a little bit
of help from my packet-filtering biased perspective...
An application-level firewall using proxies gives you more individual
control over the services that you want to offer. It also gives you
extra levels of authentication if you so desire, and presents only a
single "target" to the outside world (the proxy gateway). However, if
you already have an external firewall, a packet-filtering router should
do well as a second line of defense. The best reference for this point
of view would be Cheswick and Bellovin, where the internal router would
serve as a choke point. You can use it to restrict inbound access from
the DMZ to prevent a fire from spreading and also use it to point all
outgoing connections to the proxy on your external host.
I think that it would be overly redundant to set up another full-fledged
firewall for the same traffic.
Just my $0.03...(inflation)
Jesse
> I have had some experience with packet filtering routers (CISCO), so I'm
> inclined to purchase a similar router for the firewall. Before I do that,
> I need some opinions on why I should choose a proxy firewall instead of a
> simple packet filtering router, and visa versa. Things to consider are:
>
> 1) Cost
> 2) Performance
> 3) Management cost (maintenance)
> 4) Level of security
> 5) etc.
>
> Thanks in advance,
>
> ----
> Eclipse Technical Group
> Sr. IS Specialist
> Simon Yeo
--
***********************************************************************
Jesse Whyte EAC Network Integrators
Security Analyst Trumbull, CT
jesse@eac.com http://www.eac.com
(203) 371-2441
