Steve Kalman wrote:
>
> Others will give detailed lists, but let me start off with the obvious.
> ACL's can act on any field in the headers from Transport down. They do not
> an cannot act on the contents of the packets.
Agreed, but show me one firewall on the market that implements layer 7
for more than maybe 5-6 protocols? White papers and product
implementations are two different things. Most of what you see on the
market today are plug gateways or stateful filters. With this in mind,
from a straight filtering ability, you don't get much more out of a high
end firewall. What you _do_ get is things like authentication, fail
over, etc. These are features that are not included in any router
product I'm aware of.
> Also, with the exception of
> monitoring syn/ack bits, they are not stateful. With a few exceptions based
> on sequential packets to the same socket, every packet is treated as a new
> case.
This info is a wee bit out of date (well over a year).
Cisco ACL's can be stateful and have had that ability since IOS 11.3
(current is 12.0.9+). Outbound packets are recorded to a state table.
Inbound packets are evaluated against this table and are not allowed
through unless there is a match. You can choose to do only static
filtering, but the ability to do stateful is there as well.
> Firewalls change this behavior. They can notice when DoS or even DDoS
> attacks are taking place.
Again, not quite. Keep an eye on Bugtraq. An up coming post will show at
least one example of when this is not always the case.
Also, can you give an example of one DoS or DDoS that a firewall can
detect and log but a Cisco router can not?
> They can examine the contents of packets looking
> for phrases such as the virus out last year with a woman's name,
Again, depends on the firewall and the implementation. IMO your better
off doing this on a dedicated relay which can check content, virus scan,
etc. Some firewalls have this ability as an add on but many do not. Even
if they do, you've now severely limited your product options and
possibly your functionality.
HTH,
Chris
--
**************************************
[EMAIL PROTECTED]
* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
