Re: firewall question

From: dr.kaos (dr.kaos@kaos.to)
Date: 02/14/02

• Previous message: John Adams: "Re: firewall question"
• In reply to: leon: "firewall question"
• Next in thread: Dario N. Ciccarone: "Re: firewall question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: dr.kaos <dr.kaos@kaos.to>
To: "leon" <leon@inyc.com>, <pen-test@securityfocus.com>
Date: Thu, 14 Feb 2002 14:47:48 -0500

On Wednesday 13 February 2002 08:44 pm, leon wrote:

> I have a question regarding stateful inspection firewalls
> (specifically pix and checkpoint).

[...snip...]

> if either of these firewalls have a method of filtering based on
> protocol (for example allow 80 to be a destination port but only http
> traffic can cross it. No netcat, no aim, no limewire just http.

[...snip...]

> So to reiterate; is there a way to configure pix or checkpoint to
> judge the connection based on protocol as opposed to arbitrary things
> like source ip, destination IP or port numbers?

Simple answer: no. Because stateful filters are effectively smart packet
filters, they are simply not designed to do application layer inspection.

That said, there are functions available in several stateful firewall
applications that will allow such filtering by implementing
'content-security' proxies. Specifically, Checkpoint has "security servers"
that can be used for http, ftp, and smtp connections, effectively proxying
them to allow for content control, CVP virus filtering, etc.

Unfortunately, I have never been satisfied with the operations of these
"security servers." Checkpoint simply isn't in the business of building
proxies or application gateways, and thus, the reliability and effectiveness
of these proxies demonstrates their lack of experience in this area.

HTH,

./dr.kaos

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

---

• Previous message: John Adams: "Re: firewall question"
• In reply to: leon: "firewall question"
• Next in thread: Dario N. Ciccarone: "Re: firewall question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: firewall question ... Checkpoint can filter based on protocols through CheckPoints security ... I have a question regarding stateful inspection firewalls ... connection to me via netcat with a destination port of 80, ... (Pen-Test) Re: Basic firewall question ... > Who else makes firewalls other than CISCO? ... Checkpoint and Cisco PIX seem most common, ... many enterprises separate operating security from other parts of the ... (comp.security.firewalls) Re:RE : suggestions on a good firewall ... Subject: RE: suggestions on a good firewall ... CheckPoint does! ... with a url-filtering server. ... IT Technical Security Officer ... (Security-Basics) Re: Defense in Depth ... What is meant by "layers" of security, is this: the entry points that must be ... Physical Layer - Physical access to the resources. ... attacks and other attacks that go after the software itself. ... "layer" in one long chain (lots of firewalls). ... (Security-Basics) RE : suggestions on a good firewall ... Correct me if I am wrong but with Checkpoint, the smtp security server allow ... The PIX is not a true application level firewall. ... IT Technical Security Officer ... (Security-Basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > pen-test  > 2002-02