I don't know for sure, but I don't think Checkpoint lied about anything.
In all the research I've done on firewalls and the market -- which is quite
a lot BTW, I've never heard of anyone claiming to maintain the state of TCP
connections. I'm not really sure I see why you even need to do that in
most cases, except perhaps to avoid a DOS attack. At any rate, I believe
Checkpoint simply claimed that they used the state machine feature to
handle UDP packets. Do you have any literature from Checkpoint in which
they claim to use state for TCP packet streams -- I've read almost
everything they've put out and don't recall ever seeing this.
-- terry --
At 12:47 PM -0700 10/10/96, west @
>I guess I lost a little bit of the text on that last message. Here it
>Way back on 7 October david .
>> I swear this is not an ad!
>> Take a look at the new announcement for FW-1 V3.0. It's on our web
>> site and was just released this morning.
>> V3.0 provides state-sharing, which allows multiple firewalls to
>> support the same connection. Fixes the Asymmetrical routing issue
>> and provides a high-availability solution as well.
>I just found out why Checkpoint has preannounced "state sharing" (it
>won't be available 'til the end of the year at best) ...
>Up until Firewall-1 2.0, it wasn't really a stateful packet filter.
>It maintained some state for UDP but for TCP connections IT DID NOTHING
>MORE THAN CHECK FOR THE ACK BIT BEING SET ON INBOUND CONNECTIONS!!!!!
>Anyone running Firewall-1 1.2 has no better protection for TCP
>connections than a simple packet filter checking ACK bits for inbound
>packets. Checkpoint has been lying about it's true functionality and
>In version 2 they FINALLY seem to have added state for tcp connections.
>The reason I found this was because I had been running 2 Firewall-1
>systems in parallel using version 1.2 and everything worked just fine.
>I upgraded to verion 2.0 and suddenly it stopped working. After doing
>some investigation I found out that it worked with version 1.2 because
>all of the inbound packets had the ACK bit set and were therefore not
>checked and just passed on.
>In 2.0 there seems to be some added checking and therefore these packets
>don't get passed on. I was told that in order for my set up to work I
>need to have state sharing and to wait for version 3.0, which may or may
>not be out by the end of the year. NO THANKS!
>I'm dumping my Firewall-1. Any company that can blatantly lie about
>providing some security mechanism (stateful packet filtering - patent
>pending no less) and actually not provide it is not a company who I want
>to depend on to secure my network.
>To reiterate, if you are running anything earlier than 2.0 you have only
>the ACK bit protecting your network. All this stuff about stateful
>packet filtering is baloney.
>Lastly, a financial institution here in my parts has also dumped
>Firewall-1. Seems that a consultant hired to dissassemble the binary
>found some suspicious code and upon further investigation believes that
>it is a backdoor for specially formatted packets!
>Can anyone recommend a "good" firewall?
Terry Bernstein SRI Consulting
Consultant, Information Technology 333 Ravenswood Ave
Menlo Park, CA 94025
415-859-4136 <mailto: tbernstein @