-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Actually, no, that is not what FW-1 does. For speed purposes, most
times it does not look at the payload at all. If you are doing
something that requires looking at the payload (URL
Filtering/Anti-Virus/etc.), IOW, using a HTTP Resource, then it will
pass it up to a "Security Server" (a.k.a. proxy). There it not only
looks for valid HTTP headers, but it can also strip out viruses,
JavaScript, Java, ActiveX, etc. The ability to queue the
message/file/response to disk and check it in its entirety is something
that is not available with PIX because it only makes sure that the
request and response comply with Cisco's interpretation the RFC's. The
fixup protocols do not add much security since it just passes everything
off immediately after it does a curosry check.
// Chris
[EMAIL PROTECTED]
- -----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Jean-Pierre Harvey
Sent: Tuesday, May 22, 2001 6:01 PM
To: '[EMAIL PROTECTED]'; Cor van Rijssel
Cc: '[EMAIL PROTECTED]'
Subject: RE: Differences between Cisco PIX and Nokia / Check Point
Black,
This is fairly old information and all of the below has been patched
long ago. If you are going to talk about the old versions of the PIX IOS
then compare it to FW-1 3.x or something, not to 4.1 SP3. The PIX also
*does* have a "fixup protocol" (packet inspection) for some of the
mostly used protocols, including HTTP, so it would be inaccurate to say
that you can tunnel anything through the PIX on port 80. What would be
accurate would be to say that you can tunnel anything through port 80 on
the PIX that has an HTTP header, which (and correct me if I am wrong) is
exactly what FW-1 does.
The PIX also outperforms FW-1 for throughput.
Regards
JP
- -----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 23, 2001 12:09 AM
To: Cor van Rijssel
The PIX has a couple shortcomings.
* it doesn't validate most streams, so you could, for example, create a
tunnel through port 80 and the PIX would never know it wasn't web
traffic
* it has some FTP bugs which cause connections to be opened erroneously
-
not sure if this is a huge security rish though
* it has a nasty vulnerability that allows spoofed IP RST messages to
kill
any open connections - again this is because the pix doesn't go as far
into the upper layers in the packets.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQA/AwUBOwvZ6B3lwiNerIMVEQI7GACg3xO+eMXHmzl5emhcbgpKVnXSgUgAoL+H
5CuyiKufIblMIs8lW3W03cjR
=3mjY
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
