Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: Comparisons of Firewall-1 vs. PIX

Re: Comparisons of Firewall-1 vs. PIX

Jean-Christophe Touvet (jctedelweb.fr)
Wed, 30 Sep 1998 10:18:17 +0200

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Ryan Russell: "RE: GXD vs. SPF"
Previous message: JSK: "Re: are firewalls limited to only protecting ehternet connections?"
In reply to: R. DuFresne: "are firewalls limited to only protecting ehternet connections?"
Next in thread: H. Morrow Long: "Re: Comparisons of Firewall-1 vs. PIX"

> Date: Tue, 29 Sep 1998 15:14:28 -0400
> From: "Mark Horn [ Net Ops ]" <mhornNOSPAMNOSPAMfunb.com>
> To: Chris Hughes <chughesrpm.com>
> cc: firewall-wizardsnfr.net
>
> Chris Hughes says:
> >I have been tasked (on short notice) to evaluate Checkpoint Firewall-1 vs
> >the Cisco PIX firewall. I am new to firewalling and would appreciate
> >commentary on the strenghths and weaknesses of these two solutions.
>
> About the only commentary that I have about Cisco PIX is that there seems
> to be no way to specify source ports in the filter rules.

I think your reply raises an interesting question: should source port
filtering be considered mandatory for a firewall ?

I'd say generally no, because firewalls are mainly used to protect networks
from untrusted hosts, and if you don't trust a host, you can't trust source
port of connections coming from it. In many cases, source port filtering even
gives one a false sense of security: I've seen too many network administrators
astonished when presented results of TCP scans using source port 20 or UDP
scans using source port 53, for example.

Source port filtering is useful when writing outgoing stateless filtering
rules, for instance if one authorizes incoming packets for a given service
port, only packets with this source port should be going out (with ACK bit set
if it's TCP), but stateful filtering doesn't require to specify the second
rule. Theorically, it should be also useful to control source port of
connections coming from trusted UNIX hosts, because one can (almost ;-) be
sure that only a root-owned process opened a privileged socket, but that
source port control is generally enforced on the target host.

This is why I'd understand very well that PIX may not allow source port
filtering: basically, it's a diode, which trusts everything in the internal
network and noting outside. To answer the original question (FW1 vs PIX), I
think that it's also the most fundamental difference between these products:
FW1 can be used to control bidirectional traffic between many network
interfaces and is designed to allow complex rulesets, while PIX's design is
simplistic.

Comments ?

-JCT-

Next message: Ryan Russell: "RE: GXD vs. SPF"
Previous message: JSK: "Re: are firewalls limited to only protecting ehternet connections?"
In reply to: R. DuFresne: "are firewalls limited to only protecting ehternet connections?"
Next in thread: H. Morrow Long: "Re: Comparisons of Firewall-1 vs. PIX"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:48 CDT