"Reckhard, Tobias" wrote:
>
> Bottom line is that you need something that is 'application-aware' when
> dealing with protocols such as FTP, ones that involve negotiation of TCP/IP
> parameters between the communicating parties. ALGs are application-aware by
> definition concerning this group of protocols (plug-gw won't help you with
> FTP), stateful inspection can theoretically be application-aware, too, while
> conventional packet filters aren't. The point is, though, that to be fully
> application-aware you need to write an ALG, it's in the very meaning of the
> words: *application level* gateway.
As to the possibility of stateful inspection being fully application
aware, consider this. If a stateful inspection firewall only makes
filtering decisions based on the current packet and information culled
from previous packets, it can be fooled. That is what happened to
Checkpoint with the PASV FTP vulnerability. When you are dealing with
making decisions using information at the application layer, you may
need information in *subsequent* packets to definitively determine that
the current packet is safe to pass or to make a state table change. In
other words some amount of TCP stream reassembly may be required. Or
you can do what Checkpoint did as a "fix" and restrict the permitted
traffic to a subset of valid TCP behavior. :^(
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
