Ah ha- I just spent the last month answering these question and more, as I was asked to research firewall solutions for my employer.
There are two types of firewall in used today: Proxy based (i.e. Symantec, better known as Raptor) and Stateful (i.e. PIX and CheckPoint). Proxy firewalls intercept all requests. To a network device, the proxy firewall knows everything. This is the most secure of all firewalls, but it can become slow. Every request is authenticated, state is established, then it's taken to layer 7 for checking against a well know RFC. Stateful firewalls differ, but mainly work by making this process modular. Traffic is authenticated, state is established, and layer 7 checking is occasionally brought into play. Cisco and CheckPoint are a little sketchy with how they both handle this. I essence- user traffic (in the form of a conversation) passing through a stateful firewall, must reach some level of trust to gain a dynamic rule in the state table. As the firewall- if your conversation is tested and fits requirements (rule sets), why do I need to do anything above securing that connection against exploit. With a proxy, every request in that conversation is test as if untrusted. Some pro's and con's Proxying is the most secure (minus vendor and platform exploits) Proxy is slower and requires beefier servers, when compared to appliances like the Nokia Firewall 1 and PIX. Stateful is not as secure, in the same sense as the proxy is secure. The modularity allows this type of firewall to focus on dynamic perimeter security and not become tied to the latest patch of firewall software. Proxy firewalls require patches or upgrades to allow new applications and RFC's. This two adds a bone of contention, when the patch contains a new exploit or performance degration. I would write more, but my 3 month old is telling me E-mail time is up :o) Phil ----- Original Message ----- From: "John Tafasi" To: Sent: Saturday, November 10, 2001 11:58 PM Subject: CID: Firewalls [7:25777] > Hi Group, > > I a little confused about osi layers at different types of firewalls work > (proxy, packet filters and stateful firewalls). Can any body help with that. > > Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25824&t=25777 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
