Thank You very much for your answer. Raj
-----Original Message----- From: Ben Nagy [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 4:39 AM To: Raj Baby; [EMAIL PROTECTED] Subject: RE: question I think it's appropriate here to quote one of the dormant list gurus: "Carson's law of firewalls: Any sufficiently advanced application proxy is indistinguishable from any sufficiently advanced stateful inspection engine." In my own opinion, I draw the line (purely for my own convenience) at how the packet is handled. If a device passes packets through its own application (eg an SMTP gateway) and completely severs the TCP connection between the sending and receiving stations (ie internally retransmits the packet data from its own stack) then I call it an application proxy. An ALG does not route. If a device passes the packet through really smart logic, looks at the application layer, and then does appropriate stuff, but still routes the same packet it received internally, I call it a stateful packet filter. A "sufficiently advanced" SPF, as per Carson's quote, would do application level inspection, and also sanitise and change any parts of the packet header it thought were risky before routing it internally, thus making it _functionally_ indistinguishable from an ALG. Checkpoint is a statfeful packet filter. There is nothing that says SPFs can't look at the application layer; as noted below it's impossible to handle FTP without doing so (and even basic NAT routers can do that with no problems). The CP security servers (and I've actually never heard of anyone that claimed to use them) may do smart layer 7 checking, but they don't, AFAIK, sever the client/server TCP connection. Once again, I invite any serious FW-1 guru to clarify this at a technical level (brochure readers and casual implementors, like me, needn't apply). Cheers, -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Raj Baby Sent: Wednesday, May 22, 2002 11:01 PM To: Shimon Silberschlag; [EMAIL PROTECTED] Subject: RE: question Hi, Thanks very much for the answer. Would you pl refer this doc ? http://www.sofaware.com/html/tech_stateful.shtm It's table (page 2 of 8)makes me beleive that the stateful inspection does Application derived state+Information manipulation which is done actually by an application filter.Right?? Again the defenition in page 4 of 8 says "stateful inspection extracts state-related information required for security decision from all application layers and maintain this information in dynamic state table for evaluating subsequent connection attempts." Could you pl clarify ??? Thanks Ricky -----Original Message----- From: Shimon Silberschlag [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 11:18 AM To: Raj Baby; [EMAIL PROTECTED] Subject: Re: question The "security servers" (using CP terminology) can be considered application level gateways. This is why many think of CP as a hybrid firewall, as opposed to doing stateful inspection only. You can't do stuff like the PUT/GET you describe without going to layer 7 - checking the packet payload. HTH, Shimon Silberschlag +972-3-9352785 +972-51-207130 ----- Original Message ----- From: "Raj Baby" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 22, 2002 15:48 Subject: question > Hi, > > If i configure firewall 1 in windows NT using rule base editor,is it going to be a stateful inspection?? > > > If that is the case ,then why is content filtering used for application filtering like restricting an FTP GET or allowing an FTP PUT?? > > > I mean to say that is to be taken care by stateful inspection Right??) > > Help is greatly appreciated by a NOVICE in checkpt > > Thanks, > Ricky (Baby Raj P) > Computer Associates International, Inc > Technology Consultant / NT Storage > Tel: +1 866-422-2774 > E-Mail: [EMAIL PROTECTED] > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > For Account Management (unsubscribe, get/change password, etc) Please go to: > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
