Even more than that... What I really liked about CheckPoint was how they put the crucial, connection handling portions into the kernel as a module. It doesn't run in the user space and won't be nearly as affected if the system gets bogged down with tasks. It's sister component, which does run in the user space, takes care of the things the kernel component cannot do...like talk to the filesystem for logging. This is one of the reasons CheckPoint can achieve such high speed ratings while still doing some rather complicated analysis of the traffic. -----Original Message----- From: Frank Darden [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 29, 1999 9:34 PM To: 'Bernd Eckenfels'; Jerald Josephs Cc: Randall, Mark; [EMAIL PROTECTED] Subject: RE: Why not watch guard 2 ? (read on) that is exactly why Check Point's inspect language really comes in handy.. If.. you can figure out the basics (fixed locations within packets) you can easily compose inspect scripts for almost any protocol.. once you mentally remove yourself from the gui, and start to REALLY use the capabilities of your firewall, you'll begin to realize that inspect has the ability to check all sorts of stuff. For instance, look at the RPC calls for exchange service in FW-1.. If you looked at them need I say more? If you werent intimidated, I want your phone #..Stateful Inspection, when used properly, offers AWESOME security options.. The only company I have seen really leverage State/Context inspection is Check Point. Frank -----Original Message----- From: Bernd Eckenfels [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 29, 1999 5:37 PM To: Jerald Josephs Cc: Randall, Mark; [EMAIL PROTECTED] Subject: Re: Why not watchguard 2 ? (read on) On Mon, Jun 28, 1999 at 10:22:21PM -0700, Jerald Josephs wrote: > Are you absolutely convinced about that? > Taking into the consideration of the numerous network services that > technology has > created over the past few years, wouldn't it be realistic to state that a > screening router is not > robust enough to allow such services to enter an enterprise securely? No it is the other way around. The flood of new protocols leads to the point that the firewall vendors are not able to keep track and provide "secure" proxies for most of the protcols. They merly are able to rename their plug GW and use it for marketing "we support protocol X". Therefore a packet filter is not much less security. Greetings Bernd -- (OO) -- [EMAIL PROTECTED] -- ( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl! - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
