On Fri, 29 Sep 2000, Delmer Harris wrote:
> I can't stand it any more. Why not use an authenticating proxy firewall
> instead of trying to contort a packet filter to make it work in higher
> layers of the ISO model? If you really want to control outbound access by
Sometimes you can't insert a firewall, for instance if the access control
is to something on the same layer two network. Some protocols don't have
proxies implemented for them. Some protocols don't take easily to
proxy-based solutions, no proxy-based firewall I've looked at scales well
with authentication turned on, some clients don't support persistant
authentication cookies for one-time authentication credentials...
I'm sure I can come up with a few more, I've beaten my head against that
wall more than once in the past.
The real "best fit" is to authenticate lower in the chain and then proxy
that authentication. Unfortunately it's difficult to do that well.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
