Great Circle Associates Firewalls
(June 1997)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: RE: PIX and Firewall-1
From: Eric Vyncke <evyncke @ cisco . com>
Date: Wed, 04 Jun 1997 15:53:05 +0000
To: Pedro Salgueiro <psalgueiro @ speedy . europe . dg . com>, "'Mike Jones'" <newman!jonesmd @ uunet . uu . net>
Cc: "'firewalls'" <firewalls @ GreatCircle . COM>

Hi Pedro,

Even if I am working for Cisco, may I add the following inline
comments ?

You should not confuse between:
	- packet filtering routers i.e. plain Cisco or xxx routers
	  with cumbersome and intrecate access control lists
	- a firewall component which use a more evolved inspection
	  technique like PIX or Firewall-1

At 09:29 4/06/97 +0100, Pedro Salgueiro wrote:
>Hi to all,
>I've been "watching" the discussion regarding the differences between
packet-filtering and application level firewalls. I believe that there are
>1 - Packet filtering firewalls are more difficult to manage (It is very
simple to mis-configure => less secure).
>It may be very complicated establishing rules.

True for routers, not true for components like PIX or Firewall-1. The
later are more protocol aware and thus ACL are much easier to configure

>2 - Packet filter systems are always routing packets (so "fail-open" may
occur). A well known contructor firewall crashed with a ping attack and
routed all the packets from the insecure network to the secure one.

True again for routers, but, false for PIX/FW-1

>3 - If you are using a packet filter system and you provide SMTP, HTTP,
etc. you cannot control what the users do with those protocols,i.e., you
open or close a port. Application level firewalls provide secure  daemons
of those protocols.

True again for routers, but, false for PIX/FW-1. The later
have the knowledge of HTTP, SMTP, ... protocols and actually
analyse the traffic to make their decision.

Hope this helps

>Pedro Salgueiro
>Data General Portugal
>Tel.  +351 - 1 - 4129600
>Fax. +351 - 1 - 4129699
>mailto:psalgueiro @
 pt .
 europe .
 dg .
>R. Dr. António Loureiro Borges nº2
>Arquiparque - Miraflores
>1495 Algés
>"Don't take life too serious no one gets out alive!!!! :-)"
>* These are my own opinions and do not reflect those of the company *
>From: 	Mike Jones
>Sent: 	quarta-feira, 4 de junho de 1997 8:55
>To: 	mfiocchi @
 otm .
 it; firewalls @
 GreatCircle .
 COM; carlsonp @
 sprynet .
>Subject: 	Re: PIX and Firewall-1
>Peter Carlson writes....
>> There are many comparisons made by datacomm, lan times, ziff-davis and
>> others.  Keep in mind that both pix and fw-1 are glorified packet filters,
>> even though they have a fancy name for it.  I wouyld stick with an
>> application level gateway.  They are well accepted and known for being more
>> secure.
>Many things are known that aren't so. This claim comes by periodically
>in this forum, and I have yet to get an answer to this question: in 
>whatway are application level gateways more secure than, say, FW-1 or PIX?
>There are certainly capabilities that can be provided via application 
>proxies that can't be provided by any filter-based technologies, but what
>types of attacks are a FW-1 or a PIX vulnerable to that application
>proxies aren't?
>	Mike Jones
>	Sr. Technology Advisor
>	UNIFIED Technologies

Indexed By Date Previous: Strange logs
From: Corneliu Tanasa <cornel @ logicnet . ro>
Next: Re: Plug-gw- One to many relationship
From: "Mark Horn [ Net Ops ]" <mhorn @ funb . com>
Indexed By Thread Previous: Re: PIX and Firewall-1
From: Mike Jones <mike . jones @ unifiedtech . com>
Next: RE: PIX and Firewall-1
From: Bill Stout <stoutb @ pios . com>

Search Internet Search