Greetings!
"Holland, Stephen" schrieb:
> I am wondering if someone knows of a whitepaper or just general
> knowledge of why firewalls are better than ACL�s. I am aware of the
> statefull inspection that checkpoint can do, but with an acl you can
> creat rules to allow �established connections� thus looking deaper
> into the packet. Stuff like that.I have a good understanding of CP,
> but not ACL and wanted to compare the two. Just looking for some
> indepth reading.
>
ACLs "established" (at least the Cisco type) does NOT do stateful
connection control, but allows ALL "answer" packets with port >1024 and
ACK-bit set - regardless current connections. This is a static,
non-stateful packet filtering.
Checkpoint and other dynamic (stateful) packet filters only allow answer
packets with ACK-bit set and ports exactly matching current connections.
HTH
Volker
--
Volker Tanger <[EMAIL PROTECTED]>
Wrangelstr. 100, 10997 Berlin, Germany
DiSCON GmbH - Internet Solutions
http://www.discon.de/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
