Ummm, I believe this to be one of the misconceptions of CheckPoint.  It's
true that the INSPECT engine runs between layer 2 and layer 3 of the OSI
model, because it grabs the packets directly from the interface.  The engine
DOES, however inspect the entire packet...through layer 7.

CheckPoint is more than a smart packet filter.


-----Original Message-----
From: Heiko Ploehn [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 02, 1999 3:10 AM
To: Jason
Cc: [EMAIL PROTECTED]
Subject: Re: ipfilter 


> Another question..  I use ipfilter.  One thing that I'm told about
> commercial firewalls is that stateful inspection will make sure that it
> is indeed HTTP traffic going over port 80 rather than something else
> (and similar for other ports/protocols).
> 

No, stateful inspection, at least as Checkpoint introduced the name, means 
that not only packets are inspectd, but connections. It is done by storing
the 
information of a connection in several tables on the firewall. If a SYN/TCP 
packet arrives the packet is inspected and compared to the policy. If the 
packet is allowed an entry for this connection is made in the table. The 
following packets for this connection are accepted without full inspection
of 
the packet. Thus it is not possible to send manipulated packet through the 
firewall stating that they belong to already established connections. But
this 
is all done between layer 2 and 3 of the TCP/IP model. Thus the packets 
usually don't reach layer 4 where its content could be inspected.

If you want to inspect the content of the packet you have to search for an 
application layer gateway like for example Gauntlet or Raptor Eagle.

Best regards

Heiko Ploehn

 


> Can this behaviour be simulated with ipfilter and ipnat using
> transparent proxies?
> 
> Thanks,
> Jason
> 
> On Wed, Dec 01, 1999 at 02:36:54PM +0100, [EMAIL PROTECTED] wrote:
> > At 11:40 01.12.99 +0800, Zheng Bokui wrote:
> > >Dear gurus,
> > >
> > >Is Darren Reed's IPFILTER a good tool comparing with commerical
firewalls
> > like 
> > >Checkpoint FIREWALL-1 or CISCO PIX? 
> > >
> > >Of course commerical ones provide more features. What I'm most
concerned is 
> > >security: Can I build a secure firewall with IPFILTER?
> > >
> > >
> > >TIA,
> > >Bokui
> > >
> > >-
> > >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> > >"unsubscribe firewalls" in the body of the message.]
> > >
> > >
> > yes IPFILTER is a good tool
> > 
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> 

-- 
Dr. Heiko Ploehn                               AM Professional Services GmbH
Tel.: +49 89 64916339                          Geschwister-Scholl-Str. 4
Fax.: +49 89 6411636                           82031 Gruenwald
email [EMAIL PROTECTED]



-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to