NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] ACL's vs Firewalls



Title: RE: [FW1] ACL's vs Firewalls
Have you tried out Sidewinder from Secure computing.  Its a L7 FW. It will do all that what you want, i.e. application specific.
 
regards,
sheik abdulla j
----- Original Message -----
Sent: Thursday, September 13, 2001 3:36 AM
Subject: RE: [FW1] ACL's vs Firewalls

Agreed, packet filters (firewall or router, stateful or not) do not take care of application level firewalling (ie checking to make sure that traffic on TCP 80 is *really* HTTP).  But as you say, products that advertise themselves as catching this don't always deliver as you expect.  CP's application level filtering has holes in it, and even Raptor has problems in this regard (for any traffic that doesn't match their pre-defined list).

Buyer beware... research and make sure you know what you are getting before you put your money down.

Greg S.

PS - Actually I'd be interested in hearing about an application firewall product that allows you to (easily?) define criteria for valid traffic on a specific port (ie matching a specific protocol specification). ???


-----Original Message-----
From: Sheik Abdulla [mailto:[email protected]]
Sent: Wednesday, September 12, 2001 7:33 AM
To: Volker Tanger
Cc: [email protected]
Subject: Re: [FW1] ACL's vs Firewalls



Most of the ACL filtering firewalls do just strip down the packet to see the
port and IP address. Based on that they permit the packets.  But
Napster/Morpheus/IRC can hide in the permitted port numbers, say 80, 8080,
3128. If you want to block them It is not possible in ACL filtering
firewalls. You need Application firewalls, such as Security Servers concept
in CP. CP can boast that it does Application level filtering as well, but
you need to mention the application that can run on which port.

regards,
sheik

----- Original Message -----
From: "Volker Tanger" <[email protected]>
To: "Holland, Stephen" <[email protected]>
Cc: "[email protected]"
<[email protected]>
Sent: Monday, September 10, 2001 4:36 PM
Subject: Re: [FW1] ACL's vs Firewalls




Greetings!

"Holland, Stephen" schrieb:

> I am wondering if someone knows of a whitepaper or just general
> knowledge of why firewalls are better than ACL's. I am aware of the
> statefull inspection that checkpoint can do, but with an acl you can
> creat rules to allow "established connections" thus looking deaper
> into the packet. Stuff like that.I have a good understanding of CP,
> but not ACL and wanted to compare the two. Just looking for some
> indepth reading.
>

ACLs "established" (at least the Cisco type) does NOT do stateful
connection control, but allows ALL "answer" packets with port >1024 and
ACK-bit set - regardless current connections. This is a static,
non-stateful packet filtering.

Checkpoint and other dynamic (stateful) packet filters only allow answer
packets with ACK-bit set and ports exactly matching current connections.

HTH
    Volker

--

Volker Tanger  <[email protected]>
 Wrangelstr. 100, 10997 Berlin, Germany
    DiSCON GmbH - Internet Solutions
         http://www.discon.de/




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.