Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re:Bodermanager vs Blackhole firewall...

From: sandeep kumar <stalwar () yahoo com>
Date: Fri, 27 Nov 1998 08:30:08 -0800 (PST)
Don , your question is whether to use a proxy or not
for a particular application. and if not use the 
proxy then what ? do we NAT ?

There are two issues with the proxy: first a proxy
normally would operate in the application layer so
it would have the best knowledge about the current
state of connection.
second a proxy does not allow any direct connection
between the two parties ie the the two ends say a 
ftp client inside the trusted network and a FTP 
server on the Internet. The proxy examines all the 
connections between the two ends. All the outgoing
packets get the IP address of the proxy and all the 
incoming packets are neatly sent to the client on 
the internal network.
But the drawback is speed. The speed of the 
connection slows down considerably as compared to 
packet filtering speeds.(because all the packets
are analyzed at the application level)

Now if in such a scenario if one were "not" to use a 
proxy then whether to use NAT question comes in.
NAT is used for two cases(normally)
first if you want to hide your internal host's IP
address to the outside world.
second if your Internal network has IP addresses
which are non-routable like the 10.x.x.x range.
So if one has a host on the internal trusted network
which has a registered IP address then one would not
use NAT.

I hope the issue between the two firewalls viz
Bordermanager and Blackhole is clear. 

Don Tuer <dtaadv () ionsys com> wrote that:
Date: Thu, 12 Nov 1998 18:58:54 -0500
From: Don Tuer <dtaadv () ionsys com>
Subject: [none]

Hello:

        I'm wondering if anyone has used Novell's BorderManger or has
any
experience with this product. I have a customer who is looking to
replace
their Blackhole firewall with BorderManger. From what I can see
Blackhole
provides generic proxies which are currently not available in
BorderManger.
Would this mean that they  have to implement NAT to support
applications
which do not have a proxy?

Thanks

Don




_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: