Black,
This is fairly old information and all of the below has been patched long ago. If you
are going to talk about the old versions of the PIX IOS then compare it to FW-1 3.x or
something, not to 4.1 SP3. The PIX also *does* have a "fixup protocol" (packet
inspection) for some of the mostly used protocols, including HTTP, so it would be
inaccurate to say that you can tunnel anything through the PIX on port 80. What would
be accurate would be to say that you can tunnel anything through port 80 on the PIX
that has an HTTP header, which (and correct me if I am wrong) is exactly what FW-1
does.
The PIX also outperforms FW-1 for throughput.
Regards
JP
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 23, 2001 12:09 AM
To: Cor van Rijssel
The PIX has a couple shortcomings.
* it doesn't validate most streams, so you could, for example, create a
tunnel through port 80 and the PIX would never know it wasn't web traffic
* it has some FTP bugs which cause connections to be opened erroneously -
not sure if this is a huge security rish though
* it has a nasty vulnerability that allows spoofed IP RST messages to kill
any open connections - again this is because the pix doesn't go as far
into the upper layers in the packets.
application/ms-tnef
