On Tue, 23 Mar 1999, Daemeon Reiydelle wrote:
> Stateful inspection is a big win, and e.g. Firewall-1 doesn't take a lot
It's early, so maybe I'm just not awake, but perhaps you can explain
exactly how keeping state on connections to a publicly accessible server
is a big win (keyword big)?
I don't see a great deal of non-incremental value in this case to adding
a firewall. State on the host is cheaper (ie. free with IPfilter), and you
don't add a single point of failure/upgrade in a "firewall" machine.
In any case, since mail and DNS are outbound, the only significant
attacks I can see there are with spoofing, and state doesn't buy you
anything there (a spoofed packet will come in just as easily as a
non-spoofed packet as long as the source, dest, and seq are correct -
which they have to be to succeed.) That leaves SSL and VPN, since you
have to allow inbound connections (at least in the case of SSL presumably
from *anywhere*) state is useless. Since both of those services are encrypted,
"inspection" doesn't work for those cases.
The only thing I can see adding a packet filtering firewall would buy you is
protection from known transport-layer attacks that the vendor has already
addressed. You get the same ammount of protection from upgrading the OS,
and you have the same upgrade path in either case (firewall or host)
should new attacks become discovered. Adding a proxy-based firewall adds
a great deal of latency, and more transport-layer protection buy you're
still stuck with the stack of the proxy having the same upgrade
requirements as the hosts would. Pick a good host OS (as you'd have to
do a firewall OS) and you're at the same point for less cost (since you'd
want to do that anyway).
Now an NFR or similar product could bring some new value to the
proposition, but I just can't see how a firewall would, especially if you
bring host filtering in to compliment the screening router's protections.
Maybe I'm missing something here?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
