----- Original Message -----
Sent: Thursday, September 13, 2001 3:36
AM
Subject: RE: [FW1] ACL's vs
Firewalls
Agreed, packet filters (firewall or router, stateful or not)
do not take care of application level firewalling (ie checking to make sure
that traffic on TCP 80 is *really* HTTP). But as you say, products that
advertise themselves as catching this don't always deliver as you
expect. CP's application level filtering has holes in it, and even
Raptor has problems in this regard (for any traffic that doesn't match their
pre-defined list).
Buyer beware... research and make sure you know what you are
getting before you put your money down.
Greg S.
PS - Actually I'd be interested in hearing about an
application firewall product that allows you to (easily?) define criteria for
valid traffic on a specific port (ie matching a specific protocol
specification). ???
-----Original Message-----
From: Sheik
Abdulla [mailto:[email protected]]
Sent: Wednesday, September 12, 2001 7:33 AM
To: Volker Tanger
Cc:
[email protected]
Subject:
Re: [FW1] ACL's vs Firewalls
Most of the ACL filtering firewalls do just strip down the
packet to see the
port and IP address. Based on that
they permit the packets. But
Napster/Morpheus/IRC can hide in the permitted port numbers, say 80,
8080,
3128. If you want to block them It is not
possible in ACL filtering
firewalls. You need
Application firewalls, such as Security Servers concept
in CP. CP can boast that it does Application level filtering as well,
but
you need to mention the application that can run
on which port.
regards,
sheik
----- Original Message -----
From:
"Volker Tanger" <[email protected]>
To:
"Holland, Stephen" <[email protected]>
Cc: "[email protected]"
<[email protected]>
Sent: Monday, September 10, 2001 4:36 PM
Subject: Re: [FW1] ACL's vs Firewalls
Greetings!
"Holland, Stephen" schrieb:
> I am wondering if someone knows of a whitepaper or just
general
> knowledge of why firewalls are better
than ACL's. I am aware of the
> statefull
inspection that checkpoint can do, but with an acl you can
> creat rules to allow "established connections" thus looking
deaper
> into the packet. Stuff like that.I have a
good understanding of CP,
> but not ACL and wanted
to compare the two. Just looking for some
> indepth
reading.
>
ACLs "established" (at least the Cisco type) does NOT do
stateful
connection control, but allows ALL "answer"
packets with port >1024 and
ACK-bit set -
regardless current connections. This is a static,
non-stateful packet filtering.
Checkpoint and other dynamic (stateful) packet filters only
allow answer
packets with ACK-bit set and ports
exactly matching current connections.
HTH
Volker
--
Volker Tanger <[email protected]>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/
============================================================================
====
To
unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
============================================================================
====
To
unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing
list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================