[EMAIL PROTECTED] wrote:
>
> The key to deploying a proper security infrastructure is to know what
> each component is designed to do.
>
This is certainly true, but your reply has nothing to do with the original
question. May be you simply don't know what an adaptive proxy is, or do you?
Adaptive proxies are an attempt to mix functionalities from Application
level and from IP filtering technics. The idea has been implemented a long
time ago in BULL's firewall (Netwall) but NAI gave it a name and made
considerable marketing efforts to sell it.
> STATEFUL INSPECTION
> Stateful Inspectionfirewalls can see everything a proxy firewall can see
> (layer 4-7) in addition they can match and prevent protocol-level
> attacts (Layer 1-3) more efficiently
The only things that an IP filter gets that are not handed to an ALG are:
- the receiving network interface
- protocol headers
However, these have nothing to do with stateful inpsection, but with basic
IP filtering, and I don't know of a proxy FW that does not protect against
attacks using these fields when a statefull inspectio one does.
Reality is quite the opposite! As has been already said by many people in
this recurring thread, an IP Filter cannot prevent unkown protocol attacks,
such as the famous OOB attack. The use of an ALG do protect against such
attack, if the OS serving as a gateway is not subject to such attack.
so what protocol level attacks does a stateful inspection protect against?
The "more efficiently" claim is subject to debate. Yes, ALGs caused overhead
but succeded gainst the OOB attack, while IP filters were fast to let the
attack succeed.
>
> APPLICATION PROXIES
>
> Application - Layer Proxies can look at the protocol stream and inspect
> the stream for specific anomalies and application specific state
detection.
> The drawback is that they can open up to protocol level attacks (Layer
1-3)
Are you kidding? when the OOB attack appeared, hosts protected by ip
filtering
firewalls were with no defense except that of the destination OS, while
proxies
implemented on sane OSes (like BSD) were out of touch.
> and are very difficult to implement due to protocol & SW specific
knowledge
> needed to customize a defence (i.e. ICQ, BACK ORIFICE etc..)
??????
If it is difficult to implement a defense in user space, then it is probably
a quite-impossible task to implement it in kernel space. but you probably do
not know what you're talking about...
> Another drawback is Operating System flaws and patches
> dependency (NT/UNIX).
Oh really? an IP filter requires a modification of the OS, and thus
if a patch of the kernel appears, you'll have to wait for the IP filter
developper to check that his code is compatible with the patch and
probably to deliver an update. With an ALG, you generally need nothing
to do as binary compatibility is always provided.
>and slow performance.
slow and performance are words to use with great caution.
always keep in mind that robustness/performance is a trade-off,
whatever marketers might say.
> A best of breed practice approach for each component in the area they
> were designed to to shine is always prudent.
Nice try. unfortuantely for you, both approaches have been designed by
different people to deal with the same situation:
protecting private networks from outsiders.
My opinion is that both approaches may be used on the same box, to
perform different tasks. It is the security policy that dictates what
you need to do, not the technology.
ipfilter is sufficient for most people, but in sites where data driven
attacks are of concern, proxies should be used. This is just an opinion,
and as such, has no value other than that of a personnal opinion. If
you do not agree, forget about it.
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
