The PIX has a couple shortcomings.
* it's vulnerable to spoofed address attacks
* it doesn't validate most streams, so you could, for example, create a
tunnel through port 80 and the PIX would never know it wasn't web traffic
* it has some FTP bugs which cause connections to be opened erroneously -
not sure if this is a huge security rish though
* it has a nasty vulnerability that allows spoofed IP RST messages to kill
any open connections - again this is because the pix doesn't go as far
into the upper layers in the packets.
The last two problems are documented on Cisco's website. I don't have the
URL's handy.
The problem I know of with Checkpoint is if another MAC address claims the
same IP as on of the firewall interfaces. This will cause Checkpoint to
crash. You should be able to block this with a rule though, so at least
there is a workaround.
So far this sounds really lopsided to Checkpoint. Let me just temper my
message by throwing in the fact that Checkpoint also costs roughly twice
as much as a similar PIX solution. You more or less get what you pay for.
On Tue, 22 May 2001, Cor van Rijssel wrote:
> Could someone give me information about functional (so not about techniques,
> or hardware) differences between a Cisco PIX Firewall and a Nokia / Check
> Point firewall? I'm looking for "strange" holes./security leaks and so on.
> So, which one is more difficult to hack?
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
