Firewall Wizards mailing list archives
Re: Firewall comparison in Data Communications
From: "Ge' Weijers" <ge () progressive-systems com>
Date: Tue, 1 Jun 1999 14:27:00 -0400
On Sat, May 29, 1999 at 03:21:59PM -0700, Robert Graham wrote:
It depends on where a firewall hooks into the TCP/IP stack. I know that BlackICE (an IDS with some minor firewall functionality) hooks in between the adapter and the TCP/IP stack. Because of this, it has to completely re-implement the TCP/IP stack that it is filtering, meaning any/all features/bugs of the Microsoft stack are irrelevent.
'completely re-implement the TCP/IP stack' is an exageration. You can easily plug a packet filter between the network card device driver and the network stack(s) proper without having to reinvent the TCP stack, even if you want to track every single TCP and UDP 'connection' and maintain connection state. The firewall is not going to request retransmits on its own, it's not going to route etc. The bugs in the host O/S are still relevant, if they can be exploited using packets that look valid to the firewall. Some exploits use syntactically valid packets, and a packet-at-a-time firewall may not protect you against that if you allow incoming traffic to Ge' -- - Ge' Weijers Voice: (614)326 4600 Progressive Systems, Inc. FAX: (614)326 4601 2000 West Henderson Rd. Suite 400, Columbus OH 43220
Current thread:
- Re: Firewall comparison in Data Communications Matt Curtin (Jun 01)
- <Possible follow-ups>
- RE: Firewall comparison in Data Communications Brian Steele (Jun 01)
- RE: Firewall comparison in Data Communications Ray Hooker (Jun 02)
- RE: Firewall comparison in Data Communications David T. Smith (Jun 03)
- RE: Firewall comparison in Data Communications Alexander Schreiber (Jun 03)
- Re: Firewall comparison in Data Communications Chris Brenton (Jun 03)
- Re: Firewall comparison in Data Communications Ge' Weijers (Jun 02)
- RE: Firewall comparison in Data Communications David Newman (Jun 02)
- RE: Firewall comparison in Data Communications Kevin Steves (Jun 14)
- RE: Firewall comparison in Data Communications W J La Cholter (Jun 03)
- Re: Firewall comparison in Data Communications Don Kendrick (Jun 03)
- RE: Firewall comparison in Data Communications Russ (Jun 03)
- RE: Firewall comparison in Data Communications csingletary (Jun 03)
- RE: Firewall comparison in Data Communications Rob Polansky (Jun 04)
- Re: Firewall comparison in Data Communications Steven M. Bellovin (Jun 03)
- Re: Firewall comparison in Data Communications Ge' Weijers (Jun 03)
- Re: Firewall comparison in Data Communications dnewman (Jun 03)
(Thread continues...)