On 18/06/02 08:27 +0530, Arvind wrote: > Never seen a comparison study. But firewalls like checkpoint are basically > hybrid firewalls which do packet level filtering and application level > filtering, while IPtables is only packet level filtering. Checkpoint is an application level packet filtering firewall with proxies for a few common applications.
Iptables is a kernel mode packet filter. > This is a huge difference as lots of hacking also happen at application > level. All cracking happens at the application layer. Try breaking into a box running no services, and not running idiotic client applications like IE/OE/O. > what i feel, that IPtables has a long way to go, after all, it does nothing > but just filters the packets. It _does_ not and cannot really monitor the > content of the packets. when it can do this as well, it will be in the > category of checkpoint and other hybrid firewalls. No, iptables is the first line of defense. This should be followed by a set of application proxies (squid for http, etc) to guard your main daemons. Applications like a SMTP server can be secure enough to expose to the internet by default. Apache has few bugs, and most exploits are in cgi scripts. Try blocking a legitimate request to a badly written cgi using a simple protocol validating proxy. You can't. The ultimate defense is secure code. (Note the concept of defense in depth). Again most of the application layer firewalls can be defeated by cryptography. A firewall is a security policy enforcement tool. See if you need a firewall or can you live with hardening each host. No firewall is going to protect a public unpatched IIS server. To the OP: And I had asked this question on the firewalls list earlier (http://lists.gnac.net/lists/listinfo/firewalls), so you should be hunting there as well. Of course, http://www.google.com is your friend. Do you have people competent enough to use a command line? Or is a graphical administrative interface really required? Is a firewall going to enforce your policies? Will it really help? Remember that firewalls have a tough time blocking stuff like IM. Use policies for this. Please do not top post, it makes your messages hard to read. Devdas Bhagat ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
