[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] ACL's vs Firewalls
Greetings! "Holland, Stephen" schrieb: > I am wondering if someone knows of a whitepaper or just general > knowledge of why firewalls are better than ACL?s. I am aware of the > statefull inspection that checkpoint can do, but with an acl you can > creat rules to allow ?established connections? thus looking deaper > into the packet. Stuff like that.I have a good understanding of CP, > but not ACL and wanted to compare the two. Just looking for some > indepth reading. > ACLs "established" (at least the Cisco type) does NOT do stateful connection control, but allows ALL "answer" packets with port >1024 and ACK-bit set - regardless current connections. This is a static, non-stateful packet filtering. Checkpoint and other dynamic (stateful) packet filters only allow answer packets with ACK-bit set and ports exactly matching current connections. HTH Volker -- Volker Tanger <[email protected]> Wrangelstr. 100, 10997 Berlin, Germany DiSCON GmbH - Internet Solutions http://www.discon.de/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|