> Yes, this would be enough, but it is not in the skill of the majority
> of the security administrators I met. Therefore most protocols are
> handled in packet filter manner.
Agreed. A certain skillset is required to make the product really shine, or
for that matter, just to get it installed "properly" (to know about the
properties screen that passes protocols by default, not defined in the rule
base, for example).
> Because stateful inspection of FW-1 is not working on layer 4 it is
> faster than an application layer gateway.
Even in situations where FW-1 is inspecting all layers, it will be faster by
virtue of running in kernel space rather than in user space.
> But what if a telnet-daemon is listening on port 80. Then the user is
> able to make telnet to the internet, what might not be theintention of
> the security-administrator. I know there is http-tunnel, thus it is not
> enough to use a proxy, but if you forbid your users to install their
> own software on their clients, you can in companion with an application
> layer gateway hinder your users to telnet to the internet.
Well, it's pretty tough to defend against a malicious user on the inside,
such as one running a telnet daemon on port 80 for puposes described above.
Any number of things can be done to get data out of the network, even if it
comes down to a floppy disk in a shirt pocket...
> I agree with you that FW-1 is not only a little better then a
> traditional packet filter, but you can not ignore the advantages in
> security of the ability to control the commands on layer 4 over the
> stateful inspction approach.
Hmmm...I guess I just don't understand what exactly can be done with an
application layer gateway that FW-1 could not facilitate. Not a big deal,
though...we can drop the thread.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
