Bernd Eckenfels schrieb:
> On Tue, Jan 23, 2001 at 12:49:39PM -0600, Ron DuFresne wrote:
> > To what degree though is the packet inspection?
>
> You can script it. The degree is much lesser than checkpoint is claiming
> (proofed by ICMP statelessness, by FTP Port Attacks and so on).
The inspection of FW-1 just checks a few selected points. "MS-Exchange" just
uses the RPC (TCP/135), looks into the RPC program number and checks that
against two allowed values (IIRC). If that matches, the whole connection is
assumed to be MS-Exchange. For details please look into the Inspect(tm) scripts
that come with the FW1.
This inspection adds a bit of security to an otherwise ordinary stateful packet
filter with a GUI.
> So the question is, if one needs more than just "peeking" into the
> protocols. And if yes, if a transparent application proxy isnt the better
> idea.
Seconded. Well - an even better coice may (depending on your needs) be a
combination of FW with a proxy in a DMZ.
Bye
Volker
--
Volker Tanger <[EMAIL PROTECTED]>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
