Ok,
to discuss the difference between stateful inspection and application layer
gateway, I didn't want to go to much into the details. Yes for certain
protocols like http, ftp, smtp FW-1 is able to inspect the packet through
layer 7.
But this is not the behavior for general services. Because otherwise it would
be very astonishing why FW-1 is so much faster than Raptor Eagle (application
layer gateway).
For the majority of protocols I think it is a smart packet filter. Further I
don't think FW-1 stops a connection if you start a telnet session on port 80
if you don't use the security server. In my opinion this was the original
question.
Without security server FW-1 behaves strongly like a smart packet filter.
Heiko Ploehn
> Ummm, I believe this to be one of the misconceptions of CheckPoint. It's
> true that the INSPECT engine runs between layer 2 and layer 3 of the OSI
> model, because it grabs the packets directly from the interface. The engine
> DOES, however inspect the entire packet...through layer 7.
>
> CheckPoint is more than a smart packet filter.
>
>
> -----Original Message-----
> From: Heiko Ploehn [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, December 02, 1999 3:10 AM
> To: Jason
> Cc: [EMAIL PROTECTED]
> Subject: Re: ipfilter
>
>
> > Another question.. I use ipfilter. One thing that I'm told about
> > commercial firewalls is that stateful inspection will make sure that it
> > is indeed HTTP traffic going over port 80 rather than something else
> > (and similar for other ports/protocols).
> >
>
> No, stateful inspection, at least as Checkpoint introduced the name, means
> that not only packets are inspectd, but connections. It is done by storing
> the
> information of a connection in several tables on the firewall. If a SYN/TCP
> packet arrives the packet is inspected and compared to the policy. If the
> packet is allowed an entry for this connection is made in the table. The
> following packets for this connection are accepted without full inspection
> of
> the packet. Thus it is not possible to send manipulated packet through the
> firewall stating that they belong to already established connections. But
> this
> is all done between layer 2 and 3 of the TCP/IP model. Thus the packets
> usually don't reach layer 4 where its content could be inspected.
>
> If you want to inspect the content of the packet you have to search for an
> application layer gateway like for example Gauntlet or Raptor Eagle.
>
> Best regards
>
> Heiko Ploehn
>
>
>
>
> > Can this behaviour be simulated with ipfilter and ipnat using
> > transparent proxies?
> >
> > Thanks,
> > Jason
> >
> > On Wed, Dec 01, 1999 at 02:36:54PM +0100, [EMAIL PROTECTED] wrote:
> > > At 11:40 01.12.99 +0800, Zheng Bokui wrote:
> > > >Dear gurus,
> > > >
> > > >Is Darren Reed's IPFILTER a good tool comparing with commerical
> firewalls
> > > like
> > > >Checkpoint FIREWALL-1 or CISCO PIX?
> > > >
> > > >Of course commerical ones provide more features. What I'm most
> concerned is
> > > >security: Can I build a secure firewall with IPFILTER?
> > > >
> > > >
> > > >TIA,
> > > >Bokui
> > > >
> > > >-
> > > >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > >"unsubscribe firewalls" in the body of the message.]
> > > >
> > > >
> > > yes IPFILTER is a good tool
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> --
> Dr. Heiko Ploehn AM Professional Services GmbH
> Tel.: +49 89 64916339 Geschwister-Scholl-Str. 4
> Fax.: +49 89 6411636 82031 Gruenwald
> email [EMAIL PROTECTED]
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
--
Dr. Heiko Ploehn AM Professional Services GmbH
Tel.: +49 89 64916339 Geschwister-Scholl-Str. 4
Fax.: +49 89 6411636 82031 Gruenwald
email [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
