From: David Newman (dnewman_at_networktest.com)
Date: Wed Dec 15 1999 - 03:55:48 EST
"Packet filter" is a more accurate term than "firewall" in describing
routers from Cisco or anyone else.
Routers do access control one packet at a time by filtering on source and
destination IP addresses and possibly on TCP or UDP port numbers.
Firewalls do that too, but in addition they run state machines that verify
that the correct application-layer handshaking has taken place.
To illustrate, consider a Web connection. A router can screen for bad IP
addresses and possibly for some bad combination of address plus port number
(e.g., it can drop all packets that don't use port 80, or all packets that
do use port 80 originating from a given IP address or network).
A firewall digs deeper into each packet, verifying that it contains a
properly formed HTTP header. In addition, it keeps track of the HTTP flow (a
client sends a GET request, the server ACKs the GET, etc.) and opens a
connection only after the requisite HTTP connection setup stuff has
occurred.
To sum up, a router won't protect you from Bad Guys sending Evil Packets
using valid port numbers and a firewall will. Then again, no firewall can
protect you from Bad Guys using legitimate HTTP connections to send bogus
packets. But that's a topic for another post. . .
Hope this helps.
dn
> -----Original Message-----
> From: Tom Trottier [mailto:tom_at_act.ca]
> Sent: Wednesday, December 15, 1999 8:05 AM
> To: Mike Hunziker; THINKPAD_at_cs.utk.edu
> Subject: Re: Web Server using a ThinkPad? -Reply
>
>
> Hi Mike,
>
> Sorry for the long delay. The Cisco router can have some "firewall"
> capabilities, at least in terms of addresses accepted. But you'll
> have to get details from someone else.
>
> Tom
>
> On 1 Dec 99, at 7:13, Mike Hunziker <MCHunziker_at_us.fortis.com>
> spoke about "Re: Web Server using a ThinkPad? -R," saying
>
> > Tom...the cisco 675 plugs into a hub...the machines connect to the hub.
> > Isn't that directly connected? Can't the cisco serve as the
> firewall with
> > port blocking? You would still need to lock down the windows machines
> > but there is no need to leave all ports open either.
> >
> > >>> Tom Trottier <Tom_at_act.ca> 12/01/99 12:31am >>>
> > No, there is no "direct" connection. The firewall on the
> interface machine
> > would interface with the DSL, do any filtering, virus checking or
> > whatever,
> > translate the address the packet came in on, (IP or IP+port) &
> distribute
> > it to the appropriate machine with its own IP address in the subnet.
> >
> > I'm just a dilettante - see
> >
> > http://www.networkcomputing.com/netdesign/wall1.html
> >
> > Tom
> >
> > At 20:47 1999/11/30 -0800, Randal Whittle wrote:
> > >At 11:40 PM 11/30/1999 -0500, you wrote:
> > ...
> > >>Actually, the firewall software only needs to be on the machine that
> > >>interfaces to the internet. Then you'd need a separate
> ethernet card to
> > >>connect up the other machines.
> > >>Tom
> > >
> > >Tom,
> > > Doesn't this assume a traditional server configuration?
> > > I'm looking at a situation where a small number of
> machines are
> > >peer-networked, all making use of a DSL Modem. In this configuration
> > (if I
> > >understand it properly), each machine is essentially connected to the
> > DSL
> > >line directly--which means each one would need individual protection at
> > a
> > >software level (or a piece of hardware between them and the
> > connection to
> > >the Internet, whether that is a server or a specialty firewall
> box such as
> >
> > >the Sonic Wall I described either.
> > >
> > > In such a configuration--peer networked machines--am
> I mistaken
> > in
> > >presuming that each machine would require a software firewall to be
> > protected?
> > >
> > >- Randy Whittle
> > ------------------
> > From:Tom Trottier, 400 Slater St. Suite 415,Ottawa ON Canada K1R 7S7
> > __o Voice: +1 613 291-1168 fax(no ads, please): 594-5412
> > _ \< "Make it as simple as possible, but no simpler" - Einstein
> > (*)/'(*) TomTrottier_at_hotmail.com
> >
> >
> >
> > ****************************************************************
> > Please Note
> > The information in this E-mail message is legally privileged
> > and confidential information intended only for the use of the
> > individual(s) named above. If you, the reader of this message,
> > are not the intended recipient, you are hereby notified that
> > you should not further disseminate, distribute, or forward this
> > E-mail message. If you have received this E-mail in error,
> > please notify the sender. Thank you
> > *****************************************************************
>
>
> -----------------
> From:Tom Trottier, 400 Slater St. Suite 415,Ottawa ON Canada K1R 7S7
> __o <Tom_at_act.ca> <TomTrottier_at_hotmail.com> ICQ:57647974
> _ \< Voice: +1 613 291-1168 fax: 594-5412 No ads, please
> (*)/'(*) "Make it as simple as possible, but no simpler" - Einstein
>
This archive was generated by hypermail 2.1.3 : Thu Jan 23 2003 - 09:55:39 EST