Thank You very much.
Raj
-----Original Message-----
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 31, 2002 4:39 AM
To: Raj Baby; [EMAIL PROTECTED]
Subject: RE: question
I think it's appropriate here to quote one of the dormant list gurus:
"Carson's law of firewalls:
Any sufficiently advanced application proxy is indistinguishable from
any
sufficiently advanced stateful inspection engine."
In my own opinion, I draw the line (purely for my own convenience) at
how the packet is handled. If a device passes packets through its own
application (eg an SMTP gateway) and completely severs the TCP
connection between the sending and receiving stations (ie internally
retransmits the packet data from its own stack) then I call it an
application proxy. An ALG does not route.
If a device passes the packet through really smart logic, looks at the
application layer, and then does appropriate stuff, but still routes the
same packet it received internally, I call it a stateful packet filter.
A "sufficiently advanced" SPF, as per Carson's quote, would do
application level inspection, and also sanitise and change any parts of
the packet header it thought were risky before routing it internally,
thus making it _functionally_ indistinguishable from an ALG.
Checkpoint is a statfeful packet filter. There is nothing that says SPFs
can't look at the application layer; as noted below it's impossible to
handle FTP without doing so (and even basic NAT routers can do that with
no problems). The CP security servers (and I've actually never heard of
anyone that claimed to use them) may do smart layer 7 checking, but they
don't, AFAIK, sever the client/server TCP connection.
Once again, I invite any serious FW-1 guru to clarify this at a
technical level (brochure readers and casual implementors, like me,
needn't apply).
Cheers,
--
Ben Nagy
Network Security Specialist
Mb: TBA PGP Key ID: 0x1A86E304
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Raj Baby
Sent: Wednesday, May 22, 2002 11:01 PM
To: Shimon Silberschlag; [EMAIL PROTECTED]
Subject: RE: question
Hi,
Thanks very much for the answer.
Would you pl refer this doc ?
http://www.sofaware.com/html/tech_stateful.shtm
It's table (page 2 of 8)makes me beleive that the stateful inspection
does Application derived state+Information manipulation which is done
actually by an application filter.Right??
Again the defenition in page 4 of 8 says "stateful inspection extracts
state-related information required for security decision from all
application layers and maintain this information in dynamic state table
for evaluating subsequent connection attempts."
Could you pl clarify ???
Thanks
Ricky
-----Original Message-----
From: Shimon Silberschlag [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 22, 2002 11:18 AM
To: Raj Baby; [EMAIL PROTECTED]
Subject: Re: question
The "security servers" (using CP terminology) can be considered
application level gateways. This is why many think of CP as a hybrid
firewall, as opposed to doing stateful inspection only.
You can't do stuff like the PUT/GET you describe without going to
layer 7 - checking the packet payload.
HTH,
Shimon Silberschlag
+972-3-9352785
+972-51-207130
----- Original Message -----
From: "Raj Baby" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 22, 2002 15:48
Subject: question
> Hi,
>
> If i configure firewall 1 in windows NT using rule base editor,is it
going to be a stateful inspection??
>
>
> If that is the case ,then why is content filtering used for
application filtering like restricting an FTP GET or allowing an FTP
PUT??
>
>
> I mean to say that is to be taken care by stateful inspection
Right??)
>
> Help is greatly appreciated by a NOVICE in checkpt
>
> Thanks,
> Ricky (Baby Raj P)
> Computer Associates International, Inc
> Technology Consultant / NT Storage
> Tel: +1 866-422-2774
> E-Mail: [EMAIL PROTECTED]
>
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> For Account Management (unsubscribe, get/change password, etc)
Please go to:
> http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
