Re: firewall question

[dr.kaos <dr.kaos () kaos to>]

On Wednesday 13 February 2002 08:44 pm, leon wrote:

> I have a question regarding stateful inspection firewalls
> (specifically pix and checkpoint).

[...snip...]

> if either of these firewalls have a method of filtering based on
> protocol (for example allow 80 to be a destination port but only http
> traffic can cross it.  No netcat, no aim, no limewire just http.

[...snip...]

> So to reiterate; is there a way to configure pix or checkpoint to
> judge the connection based on protocol as opposed to arbitrary things
> like source ip, destination IP or port numbers?

Simple answer: no. Because stateful filters are effectively smart packet 
filters, they are simply not designed to do application layer inspection.

That said, there are functions available in several stateful firewall 
applications that will allow such filtering by implementing 
'content-security' proxies. Specifically, Checkpoint has "security servers" 
that can be used for http, ftp, and smtp connections, effectively proxying 
them to allow for content control, CVP virus filtering, etc.

Unfortunately, I have never been satisfied with the operations of these 
"security servers." Checkpoint simply isn't in the business of building 
proxies or application gateways, and thus, the reliability and effectiveness 
of these proxies demonstrates their lack of experience in this area.

HTH,

./dr.kaos

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/