Here are some very basic definitions; we describe these terms in greater detail elsewhere:
Marcus Ranum, who is generally held responsible for the popularity of this term in the firewalls professional community, says, "Bastions . . . overlook critical areas of defense, usually having stronger walls, room for extra troops, and the occasional useful tub of boiling hot oil for discouraging attackers".
There are legitimate questions about how to distinguish between packet filtering and proxying, particularly when dealing with complex packet filtering systems and simple proxies. Many people believe that systems that pay attention to individual protocols and/or modify packets should not be considered packet filters, and may even refer to these systems as transparent proxies. In fact, these systems don't behave much like older, simpler packet filtering systems, and it's a good idea not to apply generalizations about packet filtering to them blindly. On the other hand, they don't behave much like proxying systems, either.
Similarly, a number of proxying systems provide generic proxies, which essentially function like packet filters, accepting all traffic to a given port without analyzing it. It's advisable to pay close attention to the individual technology a product uses, without making assumptions based on whether it claims to be a packet filter or a proxy. However, many systems still are clearly packet filters or clearly proxies, so it is worth understanding what these technologies are and how they work.
|4.8. Attacks Based on Low-Level Protocol Details||5.2. Packet Filtering|
Copyright © 2002 O'Reilly & Associates. All rights reserved.