Hi Richie,
I have been working with FW-1 for about 2 years since the days of V1.2.1.
IMHO FW-1 is a fantastic piece of product; it has improved tremendously
sine the days of V1.2.1. Their soon to be released version (V3.0) is a cool
piece of product.
As to people who claimed that FW-1 is a 'packet filter', the simple answer
is NO it is not a packet filter as in the sense of that done by routers. It
does much more then the simple packet filtering router; it is able to
filter connectionless protocols like UDP and RPC-based applications which
uses dynamic ports.
One of the important feature that distinguishes FW1 from a simple packet
filtering router is the way FW-1 handles FTP traffic. A normal packet
filtering router would need to set a ACL to allow access to ports >1024
inorder to allow for data transfer from the FTP server back to the client ;
this is a bad idea. FW-1 tracks the FTP PORT command sent by the client to
the server and only opens up that particular port and closes it down when
the data transfer is over.
Their packet filtering scheme is called Stateful Multi Level Inspection.
If you are concerned with the ability to control FTP PUT & GET , V3.0 of
FW-1 allows you to define Resource Objects which allows you to do just
that. FW-1 supports a huge list of services including SQL*NET, MS
Netmeeting, Netscape CoolTalk, RealAudio etc. So why do you need a
application proxy-based firewall like Raptor ?
I am not going to go into a debate of whether 'packet filtering' firewall
is more secure then 'application proxy-based' firewall. Whichever type of
firewall you decide to use, if you misconfigure the thing there is no
difference.
I only have a brief encounter with Raptor (V3.0) so I can't say much about
it. I know that it GUI management interface is comparable to that of FW-1
but I have heard comments on the comp.security.firewalls newsgroup that it
has performance problem.
I am not related to Checkpoint ; the above are just my comments from
working with the product. For more details go to their web site at
http://www.checkpoint.com
Cheers!
Martin Khoo
R .
Lowe @
pindar .
co .
uk on 02/19/97 11:37:41 PM
To: firewalls @
GreatCircle .
COM
cc: (bcc: Martin Khoo/SIN/Lotus)
Subject: Raptor vs Firewall-1
One of our customers is soon to buy a firewall, and we're wondering whether
to recommend Firewall-1 or Raptor to them (there doesn't seem to be much
difference in price).
I'm told that Raptor is more secure since Firewall-1 comes from a Packet
Filtering rather than application Proxy background. Is this true?
Can anybody put their hand on their heart and make a recommendation?
- Richie
___________________________________________________________
Richard Lowe, Internet Consultant/Administrator, Pindar plc
Tel : +44 (0)1904 613040 EMail: R .
Lowe @
pindar .
co .
uk
Fax : +44 (0)1904 613110 http://www.pindar.co.uk
Pager : +44 (0)1426 800403 ISDN: +44 (0)1904 673010
___________________________________________________________
|
|
