In article <[EMAIL PROTECTED]>,
Bernd Eckenfels <[EMAIL PROTECTED]> wrote:
>No it is the other way around. The flood of new protocols leads to the point
>that the firewall vendors are not able to keep track and provide "secure"
>proxies for most of the protcols. They merly are able to rename their plug
>GW and use it for marketing "we support protocol X". Therefore a packet
>filter is not much less security.
There's two ways plug proxies are better than packet filters:
1. The configuration is much simpler... the proxy is either
up or down, you don't have to deal with routing issues
and the like, so you're less likely to accidentally open
up too much while getting it set up.
2. Since a plug discards everything below the application level,
stealth attacks based on fragmented packets and other games
people play with IP don't work.
Whether these are significant advantages or not depends on the quality
of the inside server's TCP stack and the skill level of the firewall admin.
--
In hoc signo hack, Peter da Silva <[EMAIL PROTECTED]>
`-_-' Ar rug t� barr�g ar do mhact�re inniu?
'U` "Be vewy vewy quiet...I'm hunting Jedi." -- Darth Fudd
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
