I waited a while before deciding to chime in on this topic. My apologies for
stealing the quote and mangling it.
Carson's law of firewalls:
Any sufficiently advanced application proxy is indistinguishable from any
sufficiently advanced stateful inspection engine.
Of course, in theory, theory and practice are the same, but in practice,
they're different.
The following are _generalizations_ - any particular item may or may not be
true for a given implementation.
The _current_ crop of application proxy based firewalls have many
limitations, especially when attempting to handle broken implementations or
bizarre protocols, or more common things like HA, failover, and
load-balancing. They tend to have weak support for UDP-based protocols. They
also, however, do a better job of securing the old-school Internet staples
(ftp, smtp, etc.) and protecting the IP stacks of internal machines. They
also tend to have better logging and finer grained access controls (for
those protocols for which they actually have real proxies). Best example:
read-only ftp server policy - only allow USER, PASS, CWD, PWD, NLST, RETR,
etc.
The _current_ crop of stateful inspection based firewalls are less
intrusive, have higher badwidth, and lower latency. Some of them can fail
over without any user impact. They also tend to inspect almost nothing,
beyond the minimum to support NAT. I have _yet_ to see a stateful inspection
engine actually track FTP protocol state beyond parsing for (one hopes)
<CR><LF>227 PASV...<CR><LF> and it's PORT bretheren. They'll happily pass
through 10,000 byte command strings, illegal commands, whatever.
One of these years I'll get around to writing up my "Can your firewall do
this?" torture test list. Currently, I'm underwhelmed by everything
shipping, but have hopes for future product releases.
--
Carson Gaspar -- [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
http://www.cs.columbia.edu/~carson/home.html
Queen Trapped in a Butch Body
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
