It took a while for your question to get through to the list, but here goes...
Raj Baby wrote: > > [about checkpoint / sofaware and stateful inspection] > Again the defenition in page 4 of 8 says "stateful inspection extracts > state-related information required for security decision from all > application layers and maintain this information in dynamic state > table for evaluating subsequent connection attempts." > > Could you pl clarify ??? The checkpoint way is to assume that the TCP segments are all well- aligned, and that they can just grep for strings in the raw TCP segments. This isn't the same as a real application gateway/filter. >From http://www.sofaware.com/html/tech_stateful.shtm: "For example, the outgoing PORT command of an FTP session could be saved so that an incoming FTP data connection can be verified against it." This assumption is what has opened them up to several dynamic data channel vulnerabilities in the past (okay, there are other large vendors as well as open source firewalls that are also guilty of this, not only checkpoint), and which, to this date, as far as I know, still leaves you vulnerable to dynamic data channel exploits. The lesson seems to be: "if you want to punch dynamic holes through the firewall using application data, make damn sure that what you end up parsing is the same as the receiving application will actually see, use and act on." (Note that I'm not saying that stateful inspection that only relies on layer 2--4 data is by necessity a Bad Thing. One does not need to reassemble TCP streams to look at _that_ data. It's when layer seven and dynamic data channels get involved that things get ugly.) -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
