Jon Earle wrote:
>
> Why do you say FW-1 does not do a good job at what it claims to do? It
> seems to work as advertised from my lab and implementation tests, that is,
> hitting the gateway with nmap scans only turned up the services I
> allowed.
That's not the whole picture. Stateful Inspection is "suppose to" check
payload. The marketing slick is that it is as good as an app proxy
because the payload scanning makes it protocol aware. This in fact is
not the case. Setup Netcat to listen on TCP/25, TCP/53, etc. and open
the port through your firewall. Now try to connect to that port. If the
software was truly inspecting the payload, your session would not be
allowed through. So while Stateful Inspection has the potential to check
payload, in actual implementation its little more than a stateful packet
filter for all but 3-5 protocols.
> Yes, it doesn't really inspect the http traffic or smtp traffic,
> but I don't think many people configure their ALGs to do that either (but,
> that's a separate debate).
You are 100% correct. This is a point I've been trying to drive home as
part of my SANS course. You have theory and implementation which are two
different things. In theory an app proxy has the *potential* to be a
more secure solution than a stateful packet filter. When you look at
actual deployment its a whole different ball game. Few products come out
of the box implementing anything more than stateful packet filtering.
HTH,
Chris
--
**************************************
[EMAIL PROTECTED]
* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
