RE: COmpare Firewalls

["Joe Ippolito" <joe () joesnet com>]

MS is apparently of the opinion that their packet filter is more effective
than third party firewalls on NT.  See:

http://www.microsoft.com/proxy/Comparisons/CompMatrix.asp?A=4&B=2

They even go so far as to say "... Proxy Server is as secure as other
firewall products available today..."

With what they have at stake making such a claim, I cannot imagine a packet
filter written by a third party being any more effective.  If you think we
can prove otherwise maybe there is some money to be made?

I believe that most packet filters by reputable organizations are effective
and it is the person configuring it that puts the machine/network at risk.

Back to Tudor's original objective: "I am trying to convince the people in
the IT dept. here that they should get rid of the Microsoft Proxy"

And his question: "Can anybody point me to a site with some information
about the poor reliability/security/etc. of M$ Proxy?"

It is my opinion that Tudor should concentrate on features that his
organization needs and that MS Proxy cannot provide.  Examples would be
static address translation, ICMP, and a fully functional DMZ.  I believe he
will be wasting his time looking for MS Proxy's security deficiencies.  If
he finds any, M$ has the coders to fix it in a hurry.

Are you still teaching FW-1 classes?  If so where?  I may have more people
to send.


-----Original Message-----
From: Dameon D. Welch [mailto:dwelch () best com]
Sent: Wednesday, September 08, 1999 8:52 AM
To: joe () joesnet com
Cc: firewall-wizards () nfr net
Subject: Re: COmpare Firewalls


An application layer filter can not protect your OS against certain DOS
attacks such as a Ping of Death. A ping of death causes problems at the
IP stack, which an application can not effectively protect. An application
can filter based on IP addresses, but it's more like an access list for
the application (like TCP Wrappers) versus kernel-level packet filtering.

A packet filter can look at an entire packet and, with stateful
capabilities,
can even keep track of a session. Properly configured, it can protect the
OS from attacks that otherwise would crash the IP stack. But even a stateful
packet filter has problems with things like content filtering and
authentication, which really require user-level processes to be efficient.

(This is why both technologies exist in most commercial firewalls)

Someone on the list suggested that MS-Proxy may, in fact, do some packet
filtering. I guess I don't know for sure since it's been quite a while
since I touched an MSProxy box. I do know that Microsoft is adding
some functionality to MSProxy that would make it more firewall-like,
at least if you believe the trade press.

-- PhoneBoy

On Wed, Sep 08, 1999 at 06:01:29AM -0700, Joe Ippolito wrote:

> So what I here you  saying is that MS Proxy uses an application-level
packet
> filter that is less secure than a kernel-level packet filter?  Can you
site
> an example and say why?  Wouldn't either one have to get in front of the
OS
> to filter incoming packets?