Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proxies, opensource and the general market: what's wrong with us?

From: Claudio Telmon <claudio () telmon org>
Date: Fri, 29 Apr 2011 10:22:45 +0200
On 04/29/2011 06:30 AM, Magosányi Árpád wrote:


You have a very valid point here. Do one thing and do it well. This is
why a firewall doesn't do packet filtering or tcp session handling.
It leaves those functions to the operating system; using, defining and
controlling them in the same way an application uses, defines and
controls the underlying database.


First, let me say that I probably missed "some" discussions on this, I
didn't really read this mailing for long time (I got bored as most
messages were something like: how can I configure this on a PIX ;) ).
However, to my knowledge packet filters have always been considered
firewalls: the definition has been usually based on function (enforcing
a security policy on network traffic) and not on technology. I also
checked some old books, including Cheswick's and Chapman's "old
testaments", and they all confirm that even a static/stateless packet
filter has always been called "a firewall". Now many think that a packet
filter it's the only kind of firewall because (almost?) every well-known
product is a packet filter.

Proxies have been mostly put on top of an operating system's tcp/ip
stack, but I wouldn't say that this is a benefit, it's just simpler. The
tcp/ip stack of an os has a lot of code that is useless for a firewall,
be it a router or a proxy, and that could include bugs. Also, it
executes at a high privilege, with the obvious consequences. And, it may
lack some functionality that can be proper for a firewall, including
detailed logging (you have logging in netfilter, but that's a firewall
component, not part of the os functionality). A proper solution would be
to use a user-level tcp/ip stack: some exist, but nobody uses them for
the obvious reasons.

Also, having more devices (e.g. separating a packet filter from a proxy,
and from a VPN concentrator, etc.) means more complexity and more
errors/bugs.

I wouldn't say that most users think that blocking ports is the only
thing a firewall should/can do. Almost every device has currently this
basic functionality, including routers, load balancers etc., so
companies buying an expensive firewall expect it to do something more.
The problem is, if they know what, and if they get it or not ;)

ciao

- Claudio

-- 

Claudio Telmon
claudio () telmon org
http://www.telmon.org

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: