That's pretty much the delineation between Packet-filtering firewalls and
Application-layer proxies.
Here's the lame analogy I use to explain it to management.

Let's say I need to cross the US-Canada border. If I drive, I get to the
border crossing, show my passport, talk to the guard and explain where/why
I'm going and usually just continue with a 'Have a Nice Visit' Comment. If
they are a 'Deep Inspection' border guard, sometimes they open the trunk to
take a peak inside, but since I'm not that suspicious, I've never had my
luggage opened despite the fact I could easily have smuggled contraband.
If my car (my packet) had anything attached to it that could be hazardous,
it would more than likely to get through and activate its maliciousness on
the other side.

If I fly instead. I leave my packet (car) at the airport. I go through
multiple identity checks. I have my payload (luggage) x-rayed, sometimes
opened and searched, my carry on gets swabbed for 'badness', every pocket,
zipper and crevass of my laptop case gets rubber-gloved. Sometimes they even
find my lighter. I finally get on the flight, go through the other side, go
through customs again, rent a car and drive to my destination. The original
packet (car) remains at home, but my payload and myself have been re-written
to the shiny new rental car.

Basically, I've been proxied. I told you it was lame, but it works for my
family and neighbors when I tell them what I do.

> -----Original Message-----
> From:
> [] On
> Behalf Of Kelly Robinson
> Sent: Tuesday, November 13, 2007 10:59 PM
> To:
> Subject: [fw-wiz] Firewalls that generate new packets..
> Some firewalls, after receiving a packet, generate a new
> packet and populate it with data from the original, rather
> than forwarding the same packet that was received. What are
> the advantages and disadvantages of this approach? And does
> anyone have any examples of any firewalls that do this on the market?
> Thanks
> - k

firewall-wizards mailing list