Chris,
That is a fair point that you make about the PIX doing a "curiosity check" on the
first packet. The point is it actually does that check, as opposed to dumbly passing
every packet that hits it on port 80, as was asserted initially. I was under the
impression that FW-1 does a similar thing. Does this mean that FW-1 does just dumbly
pass every packet that goes over port 80? Or are you saying that unless you are
filtering URLs or sending packets to a http resource that FW-1 does not care what it
passes?
Regards
JP
-----Original Message-----
From: Chris Tobkin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 24, 2001 1:42 AM
To: Jean-Pierre Harvey; [EMAIL PROTECTED]; Cor van Rijssel
Cc: [EMAIL PROTECTED]
Subject: RE: Differences between Cisco PIX and Nokia / Check Point
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Actually, no, that is not what FW-1 does. For speed purposes, most times it does not
look at the payload at all. If you are doing something that requires looking at the
payload (URL Filtering/Anti-Virus/etc.), IOW, using a HTTP Resource, then it will pass
it up to a "Security Server" (a.k.a. proxy). There it not only looks for valid HTTP
headers, but it can also strip out viruses, JavaScript, Java, ActiveX, etc. The
ability to queue the message/file/response to disk and check it in its entirety is
something that is not available with PIX because it only makes sure that the request
and response comply with Cisco's interpretation the RFC's. The fixup protocols do not
add much security since it just passes everything off immediately after it does a
curosry check.
// Chris
[EMAIL PROTECTED]
<snip>
application/ms-tnef
