At 09:48 15/12/00 -0600, [EMAIL PROTECTED] wrote:
>Paul,
>
>#There are some actions that an ALG typically can't perform and a packet
>#filter can, but that's why almost everything is a hybrid of some sort.
>
>Are you talking about being able to pass H.323 or something similar or are
>there security actions that a packet filter can do but an ALG cannot?
I'm not sure what Paul meant, but an ALG sees payload, not the full IP
packet. for example, an ALG doesn't know if a packet came fragmented.
This is not a serious problem, unless the FW OS can be attacked using
IP based things, such as malicious fragments.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
