Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] ACL's vs Firewalls

To: Volker Tanger <[email protected]>
Subject: Re: [FW1] ACL's vs Firewalls
From: Sheik Abdulla <[email protected]>
Date: Wed, 12 Sep 2001 19:33:00 +0800
Cc: [email protected]
References: <[email protected]> <1043f84f020e3307d1@[142.241.17.24]>
Sender: [email protected]

Most of the ACL filtering firewalls do just strip down the packet to see the
port and IP address. Based on that they permit the packets.  But
Napster/Morpheus/IRC can hide in the permitted port numbers, say 80, 8080,
3128. If you want to block them It is not possible in ACL filtering
firewalls. You need Application firewalls, such as Security Servers concept
in CP. CP can boast that it does Application level filtering as well, but
you need to mention the application that can run on which port.

regards,
sheik

----- Original Message -----
From: "Volker Tanger" <[email protected]>
To: "Holland, Stephen" <[email protected]>
Cc: "[email protected]"
<[email protected]>
Sent: Monday, September 10, 2001 4:36 PM
Subject: Re: [FW1] ACL's vs Firewalls




Greetings!

"Holland, Stephen" schrieb:

> I am wondering if someone knows of a whitepaper or just general
> knowledge of why firewalls are better than ACL's. I am aware of the
> statefull inspection that checkpoint can do, but with an acl you can
> creat rules to allow "established connections" thus looking deaper
> into the packet. Stuff like that.I have a good understanding of CP,
> but not ACL and wanted to compare the two. Just looking for some
> indepth reading.
>

ACLs "established" (at least the Cisco type) does NOT do stateful
connection control, but allows ALL "answer" packets with port >1024 and
ACK-bit set - regardless current connections. This is a static,
non-stateful packet filtering.

Checkpoint and other dynamic (stateful) packet filters only allow answer
packets with ACK-bit set and ports exactly matching current connections.

HTH
    Volker

--

Volker Tanger  <[email protected]>
 Wrangelstr. 100, 10997 Berlin, Germany
    DiSCON GmbH - Internet Solutions
         http://www.discon.de/




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] ACL's vs Firewalls
  - From: "Holland, Stephen" <[email protected]>
- Re: [FW1] ACL's vs Firewalls
  - From: "Volker Tanger" <[email protected]>

Prev by Date: [FW1] IP address overlaps mask.
Next by Date: [FW1] important note to OOF autorepliers
Previous by thread: Re: [FW1] ACL's vs Firewalls
Next by thread: Re: [FW1] ACL's vs Firewalls
Index(es):
- Date
- Thread