Re: SunScreen Lite vs. IPF.
From: John Rowan Littell (littejo@earlham.edu)Date: 08/14/01
- Previous message: Matthew Collins: "Re: NFS Security Question"
- In reply to: Stuart Flisher: "RE: SunScreen Lite vs. IPF."
- Next in thread: Neil Dickey: "RE: SunScreen Lite vs. IPF."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 14 Aug 2001 10:55:50 -0500 From: John Rowan Littell <littejo@earlham.edu> To: "'Focus-Sun'" <focus-sun@securityfocus.com> Subject: Re: SunScreen Lite vs. IPF. Message-ID: <20010814105549.C20941@earlham.edu>
Lo, Stuart Flisher and the coffee pot sang in unison:
>
> One point IPF is a packet filter (right?) whereas SunScreen is stateful
> inspection.
Depending on what exactly you mean by stateful inspection, IPF does do
it. That is to say, IPF is a packet filter that includes the ability
to look at the state of TCP connections and allow/deny packets based
on that. It can approximate that behavior for some types of UDP and
ICMP traffic as well (DNS queries, ping, traceroute), and it also
includes some basic proxy capabilities (to support, e.g. FTP). It
does not do packet payload inspection.
It is quite possible with IPF to allow outbound start-of-connection
packets (syn) and then allow all inbound and outbound packets that are
part of that connection but to always disallow inbound syn packets.
--rowan, a long-time satisfied user of IPF on BSD systems
-- John "Rowan" Littell Systems Administrator Earlham College Computing Services
- Previous message: Matthew Collins: "Re: NFS Security Question"
- In reply to: Stuart Flisher: "RE: SunScreen Lite vs. IPF."
- Next in thread: Neil Dickey: "RE: SunScreen Lite vs. IPF."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]