Ummm, I believe this to be one of the misconceptions of CheckPoint. It's
true that the INSPECT engine runs between layer 2 and layer 3 of the OSI
model, because it grabs the packets directly from the interface. The engine
DOES, however inspect the entire packet...through layer 7.
CheckPoint is more than a smart packet filter.
-----Original Message-----
From: Heiko Ploehn [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 02, 1999 3:10 AM
To: Jason
Cc: [EMAIL PROTECTED]
Subject: Re: ipfilter
> Another question.. I use ipfilter. One thing that I'm told about
> commercial firewalls is that stateful inspection will make sure that it
> is indeed HTTP traffic going over port 80 rather than something else
> (and similar for other ports/protocols).
>
No, stateful inspection, at least as Checkpoint introduced the name, means
that not only packets are inspectd, but connections. It is done by storing
the
information of a connection in several tables on the firewall. If a SYN/TCP
packet arrives the packet is inspected and compared to the policy. If the
packet is allowed an entry for this connection is made in the table. The
following packets for this connection are accepted without full inspection
of
the packet. Thus it is not possible to send manipulated packet through the
firewall stating that they belong to already established connections. But
this
is all done between layer 2 and 3 of the TCP/IP model. Thus the packets
usually don't reach layer 4 where its content could be inspected.
If you want to inspect the content of the packet you have to search for an
application layer gateway like for example Gauntlet or Raptor Eagle.
Best regards
Heiko Ploehn
> Can this behaviour be simulated with ipfilter and ipnat using
> transparent proxies?
>
> Thanks,
> Jason
>
> On Wed, Dec 01, 1999 at 02:36:54PM +0100, [EMAIL PROTECTED] wrote:
> > At 11:40 01.12.99 +0800, Zheng Bokui wrote:
> > >Dear gurus,
> > >
> > >Is Darren Reed's IPFILTER a good tool comparing with commerical
firewalls
> > like
> > >Checkpoint FIREWALL-1 or CISCO PIX?
> > >
> > >Of course commerical ones provide more features. What I'm most
concerned is
> > >security: Can I build a secure firewall with IPFILTER?
> > >
> > >
> > >TIA,
> > >Bokui
> > >
> > >-
> > >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> > >"unsubscribe firewalls" in the body of the message.]
> > >
> > >
> > yes IPFILTER is a good tool
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
--
Dr. Heiko Ploehn AM Professional Services GmbH
Tel.: +49 89 64916339 Geschwister-Scholl-Str. 4
Fax.: +49 89 6411636 82031 Gruenwald
email [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
