RE: proxy firewalls

[jan@radio.hundert6.de]

Hi,

> Is there some documentation explaining the pros /  cons
> of a proxy firewall and how what are the difference between
> them.
> 
> I don't want to start a flame war, just want to know what they
> are
> and what they do.

while not being able to give detailed information about that
Zorp thing-o, I can definitely tell you that using Proxies and
packet filters does by no means exclude each other. They work
together well and for a decent setup one should at least
consider combining the two, maybe even several of them. 

Generally the difference is, a proxy based firewall (also aptly
named application level firewall) works on the application layer
of the ISO/OSI model, interpreting your client's requests
and handing them on to the server themselves. Application level
gateways are not routers/gateways, such as packet filters
usually are (if not bridges). 

Packet filters are usually routers/gateways connecting two
networks with the capability of filtering out IP packets based
on a set of admin-made rules. Generally speaking, there are
stateful and stateless packet filters, the former being able to
'inspect' and keep track of e.g. a TCP stream or the logical
link between an attempted UDP connection and the ICMP message
returned. Naturally, this is preferable. IPfilter has such
capabilities (hold your flamethrowers down), as well as ipfw and
the iptables stuff from recent Linux kernels. Make your pick,
but being on this list makes clear I'm biased and so should be
you ;o)

I understand you're in the fashion business (3Suisses... my wife
always has your catalogues). Protecting your trusted business
data with a combination of firewall technologies is probably not
a bad idea. 

Hope that helps,

Jan
-- 
Radio HUNDERT,6 Medien GmbH Berlin
- EDV -
j.muenther@radio.hundert6.de