Well, lets use SMTP as an example. Suppose you have a rule allowing SMTP through your
firewall.
SMTP is an ascii based command line protocol. A command is submitted as a line with
the format
<command> space [argument]
For instance, a sequence may be
HELO
MAIL FROM:[EMAIL PROTECTED]
RCPT TO:[EMAIL PROTECTED]
etc.
All you need on the AL firewall is a proxy that understands SMTP commands and checks
the data portion of the packet to see that it contains valid SMTP commands. This is
where the overhead comes in because you can potentially be analysing each and every
byte of traffic.
>>> Johnston Mark <[EMAIL PROTECTED]> 5/22/2001 01:19:37 pm >>>
Thanks for the reply .....
So a AL Firewall is a much more "clever" firewall. Obviously its a much more
resourse intensive cos' of all the connections that it needs to initiate,
and connections it needs to "monitor", but my question is how does it know
what ldap is compared to PCA. Is it something like in packet headers where
one can determine the type of OS by the packet structure ?(passive
fingerprinting)
-----Urspr�ngliche Nachricht-----
Von: Paul Murphy [mailto:[EMAIL PROTECTED]]
Gesendet: 22 May 2001 11:56
An: [EMAIL PROTECTED]; Johnston Mark
Betreff: Re: Application Level and Stateful Inspection
This is a bit of a simplification, but lets say that all an SI firewall does
is ensure that connections from source to destination are established
correctly and in line with the rulebase you have defined, and are revoked on
inactivity. Lets say it also tracks sequence numbers and other details of
the connection to ensure no packets sneak through that aren't a part of an
existing valid connection.
So you would have a rule that says:
Source Destination Service Action
192.168.0.1 10.0.0.1 ldap Accept
So we allow ldap connections between these two addresses, if the connection
is instigated by the first.
But as far as the SI firewall is concerned, ldap is just a port number. It
doesn't refer to the protocol itself, just the port it uses to communicate.
In most situtations an SI firewall doesn't understand what ldap *is*, just
what port it utilises.
So suppose you had PC Anywhere installed on 10.0.0.1, but you configured it
to listen on 389 (ldap port). It means you could establish a PCA connection
to 10.0.0.1 using the above rule that is supposed to be for ldap.
A application firewall works at a higher level. It knows exactly what ldap
is. So traffic passing through is checked to ensure it is actually ldap
traffic and nothing else. Usually, the source will make a connection to the
firewall, and the application firewall will establish a connection to the
destination. Otherwise known as a proxy.
>>> Johnston Mark <[EMAIL PROTECTED]> 5/22/2001 10:07:28 am >>>
Hi all,
Could someone please be as kind to explain to me why an application level
firewall is more secure than a stateful inspection firewall.
Many thanks
Mark
----------------------------------------------------------------------------
-----------------------------------------------
CRESTCo Ltd. The views expressed above are not necessarily those
33 Cannon Street. held by CRESTCo Limited.
London EC4M 5SB (UK)
+44 (020) 7849 0000 http://www.crestco.co.uk
----------------------------------------------------------------------------
-----------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
