[4864] in WWW Security List Archive
Re: Packet Filters or Proxy Firewalls?
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Fri Mar 21 00:03:14 1997
To: bve@quadrix.com (BVE)
cc: sfuze@escape.com, www-security@ns2.rutgers.edu
Date: Thu, 20 Mar 1997 21:42:08 -0500
From: Steven Bellovin <smb@research.att.com>
Errors-To: owner-www-security@ns2.rutgers.edu
From: Vinnie Vedi Dolavimus <sfuze@escape.com>
First things first -- having a packet filtering router alone is rea
lly
about as much security as having no security at all.
Ummm... I would have to *VEHEMENTLY* disagree with this!!!
In general, application gateways are more secure than packet filters.
But a lot depends on the details, and on exactly what you're letting
through. If you're only letting through one or two ports -- say,
port 80, since this is a WWW list -- and your firewall wouldn't do
any high-level scanning (deleting Java and ActiveX, looking for horribly
long URLs, etc.), a packet filter will suffice. The point about application
gateways is that they can do that sort of high-level work if you so choose.
Packet filters are fundamentally limited for that sort of thing.
There are other distinguishing traits, such as the likelihood of errors
in rule setup and in the code on the packet filter, but again, for very
simple cases they probably don't matter. For more complex situations,
I would generally recommend avoiding packet filters.
--Steve Bellovin
