Bernd Eckenfels wrote:
>
> How can Fw1 reconstruct texts over IP Boundaries if they dont keep track of
> the Sequence number? Does this mean that the statefull inspection is not
> only limited by goofy inspection scripts (asume the PORT command at the
> start of the IP PAcket) but also by the Architecture of the Firewall?
You are talking about a couple of different subsystems here. For example
fragments are rebuilt for analysis prior to any rule base processing
(unless they _really_ fixed this in SP2) or having any state table entry
generated. This allows reassembly for checking purposes by SI. If the
all clear sounds, FW-1 refragments and spits the data out the other
side.
As for sequence numbers, they are not used in the state table but are
used in some of the "you think its a proxy but it's not" Security
Servers. Beyond that, you are taking pattern matching on a per packet
basis. Yes this does mean that FW-1 has many of the same limitations as
some of the IDS products on the market.
But what did you expect, Raptor? ;)
Chris
--
**************************************
[EMAIL PROTECTED]
* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
