--On Tuesday, December 05, 2000 10:42 AM -0500 Brian Ford
<[EMAIL PROTECTED]> wrote:
> Ali,
>
> You are wrong.
>
> The PIX includes specific support implemented above layer 3 for a number
> of applications including : ftp, http, h323, rsh, rtsp, sip, smtp, or
> sqlnet.
Ummm...Brian? Back off. Ali stated that application proxies were more
secure than packet filters. (He also made the bizarre claim that Firewall-1
was an app proxy, but I digress). The PIX _is_ a packet filter. It's layer
3 modifications are nice, and let badly designed protocols work with NAT,
but they are _not_ up to the level of good application proxies (note I said
good - most vendors today are shipping crap app proxies). It also can't
defend machines behind it against all stack attacks (although it does have
some nice frag protection and sequence randomization features).
I will once again state my mantra that I use whenever this subject comes up:
"A sufficiently advanced packet filter is indistinguishable from a
sufficiently advanced application proxy"
and, sadly:
"No sufficiently advanced version exist of either"
Take FTP (please! ;-). There's nothing stopping the PIX from having an
engine sufficiently complex that it allows one to implement a security
policy of "Allow GET, CWD, PWD, USER, PASS, PORT, and PASV, deny everything
else" (we don't want warez sites on our anon FTP servers). Sadly, it
doesn't. The FWTK does, as do some other application proxies.
--
Carson Gaspar - [EMAIL PROTECTED]
Queen trapped in a butch body
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
