so what about the following kind of firewall:
- for any packet received, send it to the local process that listens on the
port, independently of the destination address
- the local process is a proxy, that thing called ALG, and knows how to
forward the packet if the packet is ok.
?
This is far more state-space-time-whatever-you-want. Does this mean that
everythig else is bad, poor, suffer a big lack?
My point is that a feature is not the whole. So being 'statefool' doesn't make
you more secure, it only gives you one point. Global security is a global
question, where all features and all holes must be analyzed globally.
I am making this precision because many marketers/vendors/*/ simply go
with args like "heh, but without my feature, you're out of luck...".
regards,
mouss
> As Bernd Eckenfels states, a stateful device can prevent you
> from low level attacks while a stateless device cannot.
>
> A big lack of a stateless device is the need to configure both
> ways of the packet flow which can be very tricky, specially in
> the case of UDP. The advantage of a stateful device is more in
> this area. You can connect to any system to any port, but the
> reply is only allowed if there is an entry in the connection
> table.
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
