Penetration Testing mailing list archives
Re: firewall question
From: dr.kaos <dr.kaos () kaos to>
Date: Thu, 14 Feb 2002 14:47:48 -0500
On Wednesday 13 February 2002 08:44 pm, leon wrote:
I have a question regarding stateful inspection firewalls (specifically pix and checkpoint).
[...snip...]
if either of these firewalls have a method of filtering based on protocol (for example allow 80 to be a destination port but only http traffic can cross it. No netcat, no aim, no limewire just http.
[...snip...]
So to reiterate; is there a way to configure pix or checkpoint to judge the connection based on protocol as opposed to arbitrary things like source ip, destination IP or port numbers?
Simple answer: no. Because stateful filters are effectively smart packet filters, they are simply not designed to do application layer inspection. That said, there are functions available in several stateful firewall applications that will allow such filtering by implementing 'content-security' proxies. Specifically, Checkpoint has "security servers" that can be used for http, ftp, and smtp connections, effectively proxying them to allow for content control, CVP virus filtering, etc. Unfortunately, I have never been satisfied with the operations of these "security servers." Checkpoint simply isn't in the business of building proxies or application gateways, and thus, the reliability and effectiveness of these proxies demonstrates their lack of experience in this area. HTH, ./dr.kaos ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- firewall question leon (Feb 14)
- Re: firewall question Rzac` (Feb 14)
- Re: firewall question Michael Starr (Feb 14)
- Re: firewall question John Adams (Feb 14)
- Re: firewall question dr . kaos (Feb 14)
- RE: firewall question Panos Dimitriou (Feb 15)
- <Possible follow-ups>
- Re: firewall question Dario N. Ciccarone (Feb 14)
- RE: firewall question Matt Peterson (Feb 15)
- Re: firewall question dr . kaos (Feb 15)