OOOohhhh man I've got a bunch of bones to pick with you now...
"Baribault, Gary" wrote:
>
> The two firewalls use different technologies, Gauntlet is a Proxy type of
> firewall that intercepts all requests for resources inside your network and
> makes those requests for the outside user. That way, the outside user never
> has actual contact with the WEB (FTP, SMTP) server. Some (myself included)
> find this more secure. You never have to use a DMZ with this configuration.
So you feel that proxies provide 100% security just because the
outside user never has "direct" contact with the internal server?
WRONG.
A proxy with application level filtering capabilities (let's not start
on plug-gw here) can only protect against attacks known to the developer
of the proxy. MJR posted a note on this recently.
The problem here is that the Bad Guys(tm) are not likely to drop a note
to the fw developers saying "hey, here's a hole that needs to be patched".
What we're seeing today is a huge increase in data driven attacks, that is,
it doesn't matter if your HTTP request is delivered via proxy, floppy
or singing telegram, if it contains unexpected data, malicious scripts or
whatnot, your server is toast.
If your server is sitting on the internal network, this also means that
your entire internal network is toast.
Having the data passed from the external network to the server is
"direct connection enough" for these kinds of attacks; they're not
network-layer based any more. I think the discussion about the e-gap
product (url shuttle), which actually is a physical air gap according
to the producer, came to much the same conclusion.
Do not underestimate the value of network segmentation, which, to my mind,
is the only way to limit damages in the case of intrusion.
> FW1 on the other hand is more of a traditional FW in that, once it has
> found that the request from this user is allowable (passes all your rules)
> it forwards the packet to the WEB (FTP OR SMTP) server. The outside user
> actually talks directly with your server. Most people use a DMZ because the
> outside user is actually connected to your server and if he can compromise
> it (s)he is IN your network.
As I showed above, this holds equally true in the case of proxies.
> The other reason I chose Gauntlet is it's integration with McAfee
> Anti-virus and CyberCop software.
This might be a good reason to pick gauntlet though.
I'm not trying to endorse fw-1 over gauntlet or the other way around,
I'm just saying that proxies with application filtering capabilities
doesn't buy you as much as a lot of people like to think.
Regards,
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
