[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    RE: question
From:       Raj Baby <baby.raj () ca ! com>
Date:       2002-05-31 13:08:50
[Download RAW message or body]

Thank You very much for your answer.

Raj

-----Original Message-----
From: Ben Nagy [mailto:ben@iagu.net]
Sent: Friday, May 31, 2002 4:39 AM
To: Raj Baby; firewalls@lists.gnac.net
Subject: RE: question


I think it's appropriate here to quote one of the dormant list gurus:

"Carson's law of firewalls:

Any sufficiently advanced application proxy is indistinguishable from
any
sufficiently advanced stateful inspection engine."

In my own opinion, I draw the line (purely for my own convenience) at
how the packet is handled. If a device passes packets through its own
application (eg an SMTP gateway) and completely severs the TCP
connection between the sending and receiving stations (ie internally
retransmits the packet data from its own stack) then I call it an
application proxy. An ALG does not route.

If a device passes the packet through really smart logic, looks at the
application layer, and then does appropriate stuff, but still routes the
same packet it received internally, I call it a stateful packet filter.

A "sufficiently advanced" SPF, as per Carson's quote, would do
application level inspection, and also sanitise and change any parts of
the packet header it thought were risky before routing it internally,
thus making it _functionally_ indistinguishable from an ALG.

Checkpoint is a statfeful packet filter. There is nothing that says SPFs
can't look at the application layer; as noted below it's impossible to
handle FTP without doing so (and even basic NAT routers can do that with
no problems). The CP security servers (and I've actually never heard of
anyone that claimed to use them) may do smart layer 7 checking, but they
don't, AFAIK, sever the client/server TCP connection.

Once again, I invite any serious FW-1 guru to clarify this at a
technical level (brochure readers and casual implementors, like me,
needn't apply).

Cheers,

--
Ben Nagy
Network Security Specialist
Mb: TBA  PGP Key ID: 0x1A86E304

-----Original Message-----
From: firewalls-admin@lists.gnac.net
[mailto:firewalls-admin@lists.gnac.net] On Behalf Of Raj Baby
Sent: Wednesday, May 22, 2002 11:01 PM
To: Shimon Silberschlag; firewalls@lists.gnac.net
Subject: RE: question


Hi, 
Thanks very much for the answer. 
Would you pl refer this doc ? 
http://www.sofaware.com/html/tech_stateful.shtm 
It's table (page 2 of 8)makes me beleive that the stateful inspection
does Application derived state+Information manipulation which is done
actually by an application filter.Right??
Again the defenition in page 4 of 8 says "stateful inspection extracts
state-related information required for security decision from all
application layers and maintain this information in dynamic state table
for evaluating subsequent connection attempts."
Could you pl clarify ??? 
Thanks 
Ricky 
-----Original Message----- 
From: Shimon Silberschlag [mailto:shimons@bll.co.il] 
Sent: Wednesday, May 22, 2002 11:18 AM 
To: Raj Baby; firewalls@lists.gnac.net 
Subject: Re: question 


The "security servers" (using CP terminology) can be considered 
application level gateways. This is why many think of CP as a hybrid 
firewall, as opposed to doing stateful inspection only. 
You can't do stuff like the PUT/GET you describe without going to 
layer 7 - checking the packet payload. 
HTH, 
Shimon Silberschlag 
+972-3-9352785 
+972-51-207130 
----- Original Message ----- 
From: "Raj Baby" <baby.raj@ca.com> 
To: <firewalls@lists.gnac.net> 
Sent: Wednesday, May 22, 2002 15:48 
Subject: question 


> Hi, 
> 
> If i configure firewall 1 in windows NT using rule base editor,is it 
going to be a stateful inspection?? 
> 
> 
> If that is the case ,then why is content filtering used for 
application filtering like  restricting an FTP GET  or allowing an FTP 
PUT?? 
> 
> 
>  I mean to say that is to be taken care by stateful inspection 
Right??) 
> 
> Help is greatly appreciated by a NOVICE in checkpt 
> 
> Thanks, 
> Ricky  (Baby Raj  P) 
> Computer Associates International, Inc 
> Technology Consultant / NT Storage 
> Tel: +1 866-422-2774 
> E-Mail: baby.raj@ca.com 
> 
> 
> _______________________________________________ 
> Firewalls mailing list 
> Firewalls@lists.gnac.net 
> For Account Management (unsubscribe, get/change password, etc) 
Please go to: 
> http://lists.gnac.net/mailman/listinfo/firewalls 
_______________________________________________
Firewalls mailing list
Firewalls@lists.gnac.net
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic