-----BEGIN PGP SIGNED MESSAGE-----
On Friday 14 Feb 2003 11:47 am, [EMAIL PROTECTED] wrote:
> I've been using straight iptables rules for firewalling. I'm educated in
> security, and am wondering how firewall rules applied straight to the
> kernel via iptables/netfilter compare and contrast with using a firewall
> product.
A firewall is not so much a product or a feature as an architecture. You can
build a firewall on one system, or you can build it out of a number of
systems.
A firewall is usually made up of a packet filter of some sort (either stateful
or stateless, it used to be the latter, usually the former these days) and a
collection of proxies and services. These days you can add an IDS of some
sort on top of that as well.
The idea is that as many protocols as possible are forced to be proxied
through the firewall system. These proxies are intended to constrain the
protocol being transmitted to sane values, to control who can talk to who, to
force extra authentication, etc.
So, for instance, a typical firewall would have proxies for HTTP, FTP, SMTP,
Telnet, Real Audio, etc. These could be colocated on the same system, or if
you're really paranoid split across systems so a compromise of one would be
contained to just that system.
Typically things like CyberGuard and Gauntlet combine all of these features
onto one box, but people have built good firewalls with screening routers and
some PC's to run as the proxies.
cheers!
Chris
- --
Chris Samuel Wollongong, NSW
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iQEVAwUBPkx0H41yjaOTJg85AQEJGAf+PtaDs+PV2oub5qX5nfk6s/MAP5BoolVV
js/4GPOUdKiHKKL1ZL3zX7dCFgDIr1aQ+n6uVpKhknqpS7Aaw09Imvg0PKjFIOUV
fxxW97tO03ZFK10aSYNEjXl0s88Egp47tGtItdl8WcqVDGX2Q1gPS0x4sF8h83xo
Plp6BvNv51exP9c0ACBBajtYuf+tHi553gS+f1fThE1yGAt3gpcmsCdgAct5TeaH
xcJ+fxjflMBZHjBXYFhWeY1Oe9KhBE5R2z2ufvYFH5NoIIjD4bFJ8RtZNI0fU1yI
kRxOQqziV4z7m0RxTv7QRLugHnWN6fqdxswt6tyOuh0A7W99AljaQw==
=BUKH
-----END PGP SIGNATURE-----
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
