Re: New to firewalls
From: iliad (nospambrad.grandorff@tnweb.com)
Date: 11/27/02
- Next message: joe@q.net: "Re: how to stop transmitting ip address and harddrive contents"
- Previous message: iliad: "Re: Which hardware firewall should I use for web servers doing 100 Mbps"
- In reply to: ravi: "Re: New to firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "iliad" <nospambrad.grandorff@tnweb.com> Date: Tue, 26 Nov 2002 20:15:49 -0600
Firewalls running access lists are "ok" for basic perimiter security. But,
they are fairly simple to get past if I want your data.
Access lists do very simple traffic inspection. Simply, if the IP (basic
access lists on Cisco) matches the rule, then allow. Or extended access
lists (once again, Cisco) I can go into layer four and ensure source or
destination port.
The problem is, it is easy to hijack sessions, input invalid data, etc. etc.
for packet filters. They do not maintain the state of the connection.
They do not understand if a tcp three way handshake has taken place, for
instance.
Stateful firewalls are far superior to packet filters, but packet filters
have very low overhead.
Also, sometimes you have to open up entire port ranges for services such as
FTP. With FTP, you have to open up all high ports for the return connection
that comes from the server to the client. OUCH (speaking about packet
filters, not stateful).
With statefule, it understands that the server is talking back to the client
in such-and-such packet, so it only allows that particular ip and port to
come across. Which is a HUGE, and I can't stress it enough, HUGE security
advantage.
Cisco currently is pushing CBAC, Context Based Access Control, which is
actually a stateful inspection engine running on their routers. A true
firewall, so to speak. I have used in in lighter traffic areas with great
success.
"ravi" <aitaravi@rediffmail.com> wrote in message
news:27e77dab.0211222200.75b2cb03@posting.google.com...
> aitaravi@rediffmail.com (ravi) wrote in message
news:<27e77dab.0211152157.74470f9e@posting.google.com>...
> > Hi
> > the differences between the functionality of access-lists that
> > are configured in Routers and the firewalls (specifically the
> > CheckPoint firewall)
> > What is the advantage of using checkpoint firewall?(can access-lists
> > in routers substitute the functionality of firewall)
> >
> > Expecting indepth answers
> > Thanking all of u
> > Ravi
> Is there anybody -kindly send info
> Expecting eagerly
> Thanks for all
> Ravi
- Next message: joe@q.net: "Re: how to stop transmitting ip address and harddrive contents"
- Previous message: iliad: "Re: Which hardware firewall should I use for web servers doing 100 Mbps"
- In reply to: ravi: "Re: New to firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
