Home PageEnter the Online ShopCipher-IT ProductsServicesCipher-IT SolutionsAbout Cipher-ITContact us

Firewalls – Performance V Security

While stateful packet filters are the most popular firewall products, their popularity has more to do with their performance than their absolute security. 

If security is important to your customers, evidence below suggests advocating application-level gateway firewalls. 

When advocating application-level firewalls you should be considering

AXENT Technologies Raptor Firewall 6.5.

‘Trade-off for performance gains against total security’

An attack is described by IT World News (7 July) as being capable of passing through Checkpoint’s FireWall-1 to a supposedly protected port. Rumours that Cisco PIX was also vulnerable to such an attack turned out to be true. Cisco posted a fix for the PASV problem back in March 16 2000.

Checkpoint’s Firewall-1 and Cisco PIX also have a problem with the FTP PORT command.  When an FTP client wishes to exchange data (including directory listings) with an FTP server, it either agrees to accept a connection from the server using the PORT command, or has previously arranged to make additional connections to the server with the PASV command. This behaviour is quite unlike that of HTTP, where one TCP connection is used for both commands and data.

The PORT command poses a problem for firewalls that do not use application-level gateways. Application-level gateways are programs that run on a firewall and secure connections through that firewall. Each connection (between an FTP client and an FTP server, for example) requires its own program. The program monitors the commands the user sends as well as the responses that the server returns. Because there is a single program doing this, a properly written gateway can easily keep
track of the order of the commands issued by a client and the responses of a server. Each protocol requires a different application-level gateway that understands the different commands and responses used.

Application-level gateways are much harder to fool’

Furthermore, stateful packet filters use a state table to keep track of which packets should be permitted through the firewall, and this state table can be fooled by sending specially addressed packets to the firewall – the basis for the recent problems with FireWall-1 and PIX.

Application-level gateways are much harder to fool, as the way they maintain state is to have one running process per connection -- and this process can be much more thorough in testing for the correctness of data sent through the firewall.

Source: IT World News July 2000

Back to top


Please feel free to email us - support@cipher-it.co.uk

Images and content are copyright to Cipher-IT Ltd

Site designed by Cipher-IT Ltd