Firewall Wizards mailing list archives
Re: Proxies, opensource and the general market: what's wrong with us?
From: Claudio Telmon <claudio () telmon org>
Date: Fri, 29 Apr 2011 10:22:45 +0200
On 04/29/2011 06:30 AM, Magosányi Árpád wrote:
You have a very valid point here. Do one thing and do it well. This is why a firewall doesn't do packet filtering or tcp session handling. It leaves those functions to the operating system; using, defining and controlling them in the same way an application uses, defines and controls the underlying database.
First, let me say that I probably missed "some" discussions on this, I didn't really read this mailing for long time (I got bored as most messages were something like: how can I configure this on a PIX ;) ). However, to my knowledge packet filters have always been considered firewalls: the definition has been usually based on function (enforcing a security policy on network traffic) and not on technology. I also checked some old books, including Cheswick's and Chapman's "old testaments", and they all confirm that even a static/stateless packet filter has always been called "a firewall". Now many think that a packet filter it's the only kind of firewall because (almost?) every well-known product is a packet filter. Proxies have been mostly put on top of an operating system's tcp/ip stack, but I wouldn't say that this is a benefit, it's just simpler. The tcp/ip stack of an os has a lot of code that is useless for a firewall, be it a router or a proxy, and that could include bugs. Also, it executes at a high privilege, with the obvious consequences. And, it may lack some functionality that can be proper for a firewall, including detailed logging (you have logging in netfilter, but that's a firewall component, not part of the os functionality). A proper solution would be to use a user-level tcp/ip stack: some exist, but nobody uses them for the obvious reasons. Also, having more devices (e.g. separating a packet filter from a proxy, and from a VPN concentrator, etc.) means more complexity and more errors/bugs. I wouldn't say that most users think that blocking ports is the only thing a firewall should/can do. Almost every device has currently this basic functionality, including routers, load balancers etc., so companies buying an expensive firewall expect it to do something more. The problem is, if they know what, and if they get it or not ;) ciao - Claudio -- Claudio Telmon claudio () telmon org http://www.telmon.org _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proxies, opensource and the general market: what's wrong with us?, (continued)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? David Lang (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? Magosányi Árpád (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? Claudio Telmon (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 25)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 28)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 29)
- Re: Proxies, opensource and the general market: what's wrong with us? ArkanoiD (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? david (Apr 27)
- Re: Proxies, opensource and the general market: what's wrong with us? Tracy Reed (Apr 27)