On Wed, 08 Apr 2009 09:20:34 +1000 Karl Auer <kauer@biplane.com.au> wrote:
On Wed, 2009-04-08 at 10:46 +1200, Nathan Ward wrote:
I'd be interested to hear why people use firewalls.
End hosts are not always trustworthy.
If a host is compromised, should it be able to send anything and everything out to the public network?
A packet filter looks at the "top surface" of the packet, and processes the packet accordingly - based on things like the protocol, the source address, the destination address, the TCP flags and so on.
A firewall, on the other hand, makes decisions based on knowledge about the data being carried.
I.e., firewall != packet filter; my question related to firewalls.
A packet filter is often part of a firewall, though it's usually not a complete solution. However, I'd disagree with your blanket assertion. A better way to phrase it is that a firewall at a given level cannot protect against attacks at a different level. Packet filters don't block SMTP weirdness or filter Evilscript from web pages; web proxies don't guard against, say, ACK scans. It's like it says on the tube of toothpaste: a packet filter (or for that matter, a firewall) is an effective security device if used as part of a program of good network hygiene and regular professional care. --Steve Bellovin, http://www.cs.columbia.edu/~smb