[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Checkpoint FW-1 vs. a Proxy Firewall. Which is more secure?


I don't think there are any transparent proxies out there yet; but one may argue
that Checkpoints security servers are just that.



Jingwei Ke <jke@seas.marine.usf.edu> on 05/28/99 05:37:14 PM

Please respond to Jingwei Ke <jke@seas.marine.usf.edu>

To:   Karim Ismail/Markham/IBM@IBMCA
cc:   fw-1-mailinglist@lists.us.checkpoint.com (bcc: Stuart Irving/Markham/IBM)
Subject:  Re: [FW1] Checkpoint FW-1 vs. a Proxy Firewall.  Which is more secure?






Good question. On the other side, is it possible for a proxy firewall to
be transparent?

I am new to firewall world, and pretty interested in these basic problems.

Regards,

Jingwei


On Fri, 28 May 1999 karimi@ca.ibm.com wrote:

>
>
>
>
> Hello
>
> I would like to solicit from the members of this mailing list as to how they
> rate the
> security of a Checkpoint Firewall using "stateful" inspection versus a proxy
> type
> firewall such as SecureIT Milkyway or IBM's E-Firewall?
>
> I have heard that Proxy-based firewalls are more secure, because they strip
> the IP datagram and examine the actual contents of the data for legitimacy.
> For example, a stream of SMTP type commands embedded in a frame would
> be examined, and if an offensive command were found, the frame would be
> discarded.
> I understand the Proxy Firewall is doing this at Layer 7 (Application).
>
> I have also heard that a stateful-inspection type firewall such as
Checkpoint's
> FW-1
> is only a glorified router with "smarts".   The stateful inspection works
> between
> Layer 2 (Data Link) and Layer 3 (Network)  and claims to only allow a packet
> up to the upper layers only if the previous "state"  and "context" of the
> connection
> of a previous connection cached in its dynamic state table seems to be in
valid
> sequence
> as determined by the FW-1 algorithims.
>
> However, this does *not* stop packets that have hack commands, debugging,
> or cracking commands that may be embedded in the frame, since a stateful
> inspection
> or filtering type firewall does not examine the actual commands in the data to
> see if there is
> something offensive.   So if a packet passes the stateful inspection rules and
> gets sent
> to the upper layers, it could be devastating if a hacker inputted a stream of
> debugging or
> hacking commands, (say for example sendmail hacking commands) b/c FW-1 would
not
> even examine the contents of the data to see if they are valid.
>
> I would appreciate the input of members in this group as to whether they feel
> stateful-inspection
> is more secure than Proxy firewalls.
>
> thanks
>
>
>
>
>
>
================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
================================================================================
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================