Re: What is the difference between stateful packet filteringand Stateful pkt inspection ?

[Volker Tanger <volker.tanger () discon de>]

Greetings!

Mikael Olsson wrote:
> Volker Tanger wrote:
> > No. CheckPoint and PIX use (transparent) proxies (called "ressource" or
> > "fixup") when filtering. 
>
> Err. No. FW-1 and PIX most certainly do NOT use proxies for 
> these kind of things.  If they did, early TCP segmentation and 
> partially-resent TCP segments wouldn't have been able to fool
> them into opening Gaping Holes(tm).

Well, maybe not 100% proxies - because of which they probably renamed 
that stuff. Disclaimer: I only know CKP better.


But if you use the HTTP ressources in CKP the source IP address "behind" 
the firewall will be changed to the firewall's IP address pointing to 
the (server) location instead of the client's original IP - even if no 
NAT is used. This is a well known bu.. ah... feature. And looks 
definitely proxyish to me. Especially since all other (e.g. HTTP) rules 
following will show the same behaviour, regardless wether using a 
resource or not. A dead giveaway that some proxy must have taken over.

When using SMTP ressources, you will even be able to see a message queue 
building up on CKP like on any normal SMTP server - including frozen 
messages that cannot be delivered etc. Definitely no behaviour that 
could be called typical for plain packet filters either.

So probably they are neither but something in-betweenish. Now the main 
question is: best or worts of both worlds?
>;->

Volker Tanger
IT-Security Consulting

--
discon gmbh
Wrangelstraße 100
D-10997 Berlin

fon    +49 30 6104-3307
fax    +49 30 6104-3461

volker.tanger () discon de
http://www.discon.de/


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards