Hello Michael,
MBR> I would expect that the webserver would still be vulnerable, and the only
MBR> way the firewall could stop an exploit against the vulnerability would be
MBR> for me to get my hands dirty with INSPECT code. In this case, how would
MBR> FW-1 be acting as anything more than a dynamic packet filter?
My personal opinion is that FW1 ISN'T anything more than a good
packet filter. You even should not put to much trust in the stateful
inspection itself (especially stateful inspection of UDP.)
Having FW1 doing application level firewalling is something I feel
dangerous, as it's another step in the "single line of defense"
direction.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
