-----BEGIN PGP SIGNED MESSAGE-----
Fundamentally the firewall code embbeds itself into the TCP/IP stack
between the MAC (Datalink) layer and the Network layer. As a result
OS specific and Server App specific bugs do not affect its
reliability as a firewall. Of course you have to trust the IP stacks
reliability in this case but things like stealthing the firewall does
keep anoying things like Ping of Death the like off your back.
Please note that if for some reason you are running other services on
an fw-1 box and those services are subject to a malicious exploit it
is feasible for someone to aquire control of the box using that
service and thereby have the ability to reconfigure or shutdown the
Hence my advice to all my clients to let a firewall be a firewall and
nothing else. Can you run FTP,HTTP,SMTP,DNS and all that on the box.
Sure but you leave yourself open to potential hacks at application
layer that will lead to a hacker puting the firewall out of its
misery. Please note this is a problem I've observed with a number of
products on the market and in a statement "Friends don't let Friends
run other apps on their firewalls"!
At 03:52 AM 11/29/97 -0600, William Cooper wrote:
> I've heard it said that Check Point's Firewall-1 runs in such a way
>the OS is not vulneralbe, or the Firewall is not subject to
>vulnerabilities that exist in the operating system itself. I'm
>someone could affer some pointers to information that offers a more
>detailed explanation of this and possibly addresses whether or not
>true (re:NT & unix.) I've searched dejanews and this list's archive
>still have questions.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
-----END PGP SIGNATURE-----