NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] ACL's vs Firewalls



Greetings!

"Holland, Stephen" schrieb:

> I am wondering if someone knows of a whitepaper or just general
> knowledge of why firewalls are better than ACL?s. I am aware of the
> statefull inspection that checkpoint can do, but with an acl you can
> creat rules to allow ?established connections? thus looking deaper
> into the packet. Stuff like that.I have a good understanding of CP,
> but not ACL and wanted to compare the two. Just looking for some
> indepth reading.
>

ACLs "established" (at least the Cisco type) does NOT do stateful
connection control, but allows ALL "answer" packets with port >1024 and
ACK-bit set - regardless current connections. This is a static,
non-stateful packet filtering.

Checkpoint and other dynamic (stateful) packet filters only allow answer
packets with ACK-bit set and ports exactly matching current connections.

HTH
    Volker

--

Volker Tanger  <[email protected]>
 Wrangelstr. 100, 10997 Berlin, Germany
    DiSCON GmbH - Internet Solutions
         http://www.discon.de/




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.