Firewall Wizards mailing list archives
Re: Firewalls that generate new packets..
From: Dave Piscitello <dave () corecom com>
Date: Sat, 17 Nov 2007 10:05:34 -0500
The archives of this list contain several threads that go into detail about the pros and cons of stateful traffic inspection versus proxy or "read-rewrite" firewalls.
Few firewalls today are exclusively one or the other today. The archives have lots of opinions over which is better but I think that's a moot issue at this point in firewall evolution.
Some of the things I like about SMTP proxies in particular are that theyallow you to rewrite header fields to normalize SMTP headers, i.e., every piece of mail can be made to look like it came from one server and you can strip all but the mail headers you want to disclose before mail exits, etc.
Commercial examples include Watchguard FireboxX and Secure Computing Sidewinder. The original firewall toolkit evolved into one of my favorite firewalls, the TIS Gauntlet. Network Associates bought TIS, then NAI sold the Gauntlet to Secure Computing, who I believe offered the Gauntlet on Solaris but has phased out the product. Sad, I really loved running Gauntlet on BSD.
Matthew Hannigan wrote:
On Wed, Nov 14, 2007 at 02:58:37PM +1100, Kelly Robinson wrote:Some firewalls, after receiving a packet, generate a new packet and populate it with data from the original, rather than forwarding the same packet that was received. What are the advantages and disadvantages of this approach? And does anyone have any examples of any firewalls that do this on the market?I guess all proxying fireawalls like the original fwtk do this. Advantage: Your firewall is more trusted not to do funky stuff that might upset internal servers. Directly concomitant disadvantage: The packet may not be an entirely faithful version of the original (besides the obvious source addr/port) _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Attachment:
dave.vcf
Description:
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls that generate new packets.. Kelly Robinson (Nov 14)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 17)
- Re: Firewalls that generate new packets.. John Adams (Nov 17)
- Re: Firewalls that generate new packets.. Matthew Hannigan (Nov 17)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 17)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 19)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 17)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 17)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 19)
- Re: Firewalls that generate new packets.. Timothy Shea (Nov 19)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 21)
- Re: Firewalls that generate new packets.. Dave Piscitello (Nov 23)
- Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 23)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
- Re: Firewalls that generate new packets.. ArkanoiD (Nov 21)
- Re: Firewalls that generate new packets.. Paul Melson (Nov 23)
- Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 23)