"Randall, Mark" wrote:
>
> > to discuss the difference between stateful inspection and application
> layer
> > gateway, I didn't want to go to much into the details. Yes for certain
> > protocols like http, ftp, smtp FW-1 is able to inspect the packet through
> > layer 7.
>
> ...and for any other protocol, should it be important enough to learn the
> INSPECT language and write your own protocol engine.
Yes, this would be enough, but it is not in the skill of the majority of
the security administrators I met. Therefore most protocols are handled
in packet filter manner.
>
> > But this is not the behavior for general services. Because otherwise it
> > would be very astonishing why FW-1 is so much faster than Raptor Eagle
> > (application layer gateway).
>
> Not astonishing at all, IMO... Considering that the FW-1 inspect engine
> runs in Ring 0 and Raptor is running out in Ring 3, the speed difference
> doesn't surprise me at all.
Because stateful inspection of FW-1 is not working on layer 4 it is
faster than an application layer gateway.
>
> > For the majority of protocols I think it is a smart packet filter. Further
> > I don't think FW-1 stops a connection if you start a telnet session on
> port
> > 80 if you don't use the security server. In my opinion this was the
> > original question.
>
> Okay, I must have missed this. Why is somebody telnetting to port 80? Just
> to verify a response from a web server? Why should it be blocked? I didn't
> catch this at all...and I suppose it doesn't matter much, as I don't really
> want to start any religious wars between stateful inspection and application
> gateways.
I like FW-1 very much, but I started this thread with the attempt to
explain someone the difference between this both systems with only a few
words.
But what if a telnet-daemon is listening on port 80. Then the user is
able to make telnet to the internet, what might not be theintention of
the security-administrator. I know there is http-tunnel, thus it is not
enough to use a proxy, but if you forbid your users to install their own
software on their clients, you can in companion with an application
layer gateway hinder your users to telnet to the internet.
> I just couldn't help commenting, because it seems a lot of people think FW-1
> doesn't inspect beyond layer 3, since its engine sits below that layer...and
> some believe it to be nothing more than a traditional packet filter that
> happens to keep track of open connections.
I agree with you that FW-1 is not only a little better then a
traditional packet filter, but you can not ignore the advantages in
security of the ability to control the commands on layer 4 over the
stateful inspction approach.
Heiko Ploehn
--
Dr. Heiko Ploehn AM Professional Services GmbH
Tel.: 089-64916339 Geschwister-Scholl-Str.4
Fax.: 089-6411636 82031 Gruenwald
email [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
