Re: 56k dial up on laptop 802.11G ?

Duane Arnold <notme@xxxxxxxxx> wrote:
>floyd@xxxxxxxxxx (Floyd L. Davidson) wrote:
>> So lets skip the similar parts, and examine what these differences
>> are!
>>
>> A router with filtering:
>>
>> "doesn't operate at the Application Gateway level of the
>> OSI model. It doesn't break the client/server model; it
>> doesn't have un-trusted and trusted zones."
>>
>> A "FW appliance":
>>
>> "operates at the Application Gateway level of the OSI model,
>> breaks the client/server model, and has un-trusted and trusted
>> zones."
>>
>> First, there is no "Application Gateway level" in the OSI model.
>> You are confused. An "application gateway" is a type of
>> firewall, which consist of a proxy server that does indeed break
>> the "client/server model" in that it breaks connections into two
>> segments, placing itself in the middle, and allows only traffic
>> which matches the rules it applies.
>
>So I gather that you looked that up somewhere.

Apparently *you* just now looked it up...

On the other hand I've been dealing with the difference, which you
don't even seem to be aware of, between the OSI Layered Model and
the reality of TCP/IP since the OSI Layered Model first appeared.

>The FW appliance has it. So my wording of it is wrong of what the OSI title
>is and that is off. The FW appliance uses an Application gateway/proxy FW
>and operates at the Application Level of the OSI model.

That is correct. Note that the Linux kernel provides the same
functionality. The difference is merely whether it is done in
user space or kernel space. That would indeed be of
significance *if* this was a firewall on the same platform that
is actually running the application (e.g., a ftp server or httpd
server); but we are talking about a separate unit that has only
Ethernet connectivity to the hardware which runs the servers.
Hence it makes no difference whether it is done in user space or
in kernel space; other than which name is then attached to it.

>> Second, in the identical parts of your descriptions you say that
>> they *both* (which is correct) operate up through the
>> Application Layer. They you deny that for one and not for the
>> other.
>
>> In fact Stateful Packet Inspection (SPI) does work all
>> the way up through the Application Layer.
>
>SPI provides Application level protocol awareness. SPI doesn't break the
>client/server model like the Application/proxy gateway FW. And nether does
>the packet filtering FW, from what I understand.

SPI doesn't, but of course if it is combined with a proxy
server, the functionality is exactly the same.

The fact that it provides NAT firewall functionality does not
prevent it from also providing SPI firewall functionality (which
you originally claimed and have now finally admitted does
happen).

The fact that it provides SPI firewall functionality does not
prevent it from also providing the same functionality as an
Application Gateway firewall too (proxies and applications
specific rules).

And in fact there are several genuine "Application Gateway
Firewall" products that do run under Linux. You might consider
why it is that none of them have been ported to the WRT54G!
(The answer is because it would add nothing to the existing
functionality.)

>> Linux systems, of which the WRT54G is an example, implement
>> multilayer firewalls. Your insistence that if it provides
^^^^^^^^^^^^^^^^^^^^^

>> routing then it doesn't do "true" firewall functions, is *still*
>> *wrong*.
>
>At this point I am not saying that the 54g doesn't fit the definition of a
>network FW.

You are still making false statements though.

At this point you have finally admitted that it is a "network"
firewall... But you were just claiming that it did not provide
the same services as a "Firewall Appliance", which you then
defined with a description which fit the WRT54G quite well.

>My view of the 54G router was based on the other Linksys

Which is to say you haven't got any idea what the WRT54G does
or does not do.

>products that cannot do what the 54G is apparently doing from the ones I
>have seen to date.

And despite the differences being pointed out many times, you
still insist on make false comparisons, using generic
definitions that don't necessarily apply to any given specific
piece of equipment, much less to the one we are discussing.

>If I am going to choose between the two, I am going with
>a FW appliance every time and not a router,

Of course if you need a router behind that FW appliance, that
just rings the bell labeled "stupid".

And it doesn't get any better if you don't need a "router" but
end up paying twice the price for something that isn't any
better.

>which I consider the 54g to be
>a packet filtering FW router.

Who cares what you "consider" it to be? You don't know what it
is and have admitted it.

>If I go with something like a 54g, then it's
>going to sit outside the trusted zone of a FW appliance and VPN into the FW
>appliance, simply because it wireless.

Of course many of us are using them with the wireless turned
off. Moreover, with something like DD-WRT firmware it is easy
to reconfigure the vlan/bridge and isolate the wireless through
the firewall.

What you are still missing is that it is *far* more versatile
than you have imagined.

>> The WRT54G, for example, provides for proxies, port forwarding,
>> and a DMZ, all with dynamic packet filtering rules. It has all
>> of the functionality you require for a "FW appliance".
>
>Show me some documentation verifying that 54g router has been classified to
>be a FW appliance and not a packet filtering NAT FW router.

I could care less whether anyone has or not "classified" it as
this or that. The point is that we *know* that it has the
functionality that *you* used to define "a FW appliance".

--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) floyd@xxxxxxxxxx
.

Relevant Pages

  • Re: [fw-wiz] Botnets, IRC servers and firewalls?
    ... > Where are the numbers that show the impact of egress filtering on a router? ... out unless it's my internal nameserver talking to my external ... Router and firewall performance stats are a blackhole- it's easy to skew ...
    (Firewall-Wizards)
  • Re: Home Firewall vs Corporate Firewall
    ... We have no separate firewall. ... I have been researching firewalls and network security appliances. ... Here is some stuff you can read about that $100 NAT router trying to protect a business it. ... Here is what network FWdo may be it on a host based gateway computer, a packet filtering FW router or a FW appliance. ...
    (comp.security.firewalls)
  • RE: PIX Question
    ... to say on the locking down a router and yes the firewall will block internal ... With out some sort of filtering on the ... edge router you will still leave yourself open to certain attacks. ... Subject: PIX Question ...
    (Security-Basics)
  • Re: 56k dial up on laptop 802.11G ?
    ... >>> firewall, which consist of a proxy server that does indeed break ... The FW appliance uses an Application gateway/proxy FW ... >>SPI provides Application level protocol awareness. ... It's a packet filtering FW router that's become a FW appliance according to ...
    (alt.internet.wireless)
  • Re: Hardare based firewall reviews
    ... > A router, such as BELKIN, is not a firewall. ... > same page as the appliance people and talk FIREWALLS and NOT ROUTERS. ... security installations. ...
    (comp.security.firewalls)