Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: netwolves

From: "Patrick M. Hausen" <hausen () punkt de>
Date: Fri, 21 Dec 2001 09:18:05 +0100 (CET)
Hi all!

David Lang wrote:


as I understand it the CVP is an 'Industry Standard' that only checkpoint
firewalls use.


Almost correct ;-)

CVP version 1.0 is standardized and available from multiple vendors
to a certain extent. The Gauntlet firewall, for example, uses it.
Unfortunately the protocol spec for CVP 1.0 is broken by design
- hard coded limit of the number of concurrent sessions from
firewall to scanner, just to name one. It's pretty usable for
email, though, where scanning can easily be serialized.
We use it with Gauntlet and F-Secure content scanner.

This lead to the development of CVP 2.0 - although Checkpoint
claims it was an open standard, I wasn't able to find sufficient
documentation on it. All scanning engine vendors I know of only
support Checkpoint firewalls as clients and AFAIK Checkpoint
is the only firewall vendor to ship CVP 2.0.

Not that they got it right this time. IIRC the number of concurrent
scanning sessions was simply bumped from 5 (!) in 1.0 to 254 in 2.0.


I seriously doubt if the concept of content inspection for HTTP
or FTP does make sense at all. A sufficiently up-to-date desktop
antivirus product should take care of downloads. Given the current
protocols (HTTP/FTP), withholding the downloaded content from the
application for an indeterminable amount of time until it is
scanned and no virus found is bound to cause timeouts and abort
the download altogether. And if you believe things like
"data trickling" (sp?) will fix this, go search through Checkpoint
mailing lists for a while ;-))

You might consider blocking certain mime types and/or file
extensions completely for "ordinary users". Of course this can
be circumvented intentionally. As can any content inspection by
simply using SSL.

Regards,
Patrick M. Hausen
Technical Director
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Scheffelstr. 17 a     Tel. 0721 9109 -0 Fax: -100
76135 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: