Firewall Wizards mailing list archives
Re: GXD vs. SPF
From: Frederick M Avolio <fred () avolio com>
Date: Sat, 26 Sep 1998 19:36:27 -0400
Bill, This gets at what has been the heart of such discussions. Namely, the issue is not what can be done, but what *is* done in a given (or some or most) implementations. Certainly, a SPF could be more secure than a GXD. If truly all a GXD does is provide a proxy with no security, then it still can protect the inside machines from some classes of attacks, and a GXD could add strong authentication (unlike SPFs) or better logging than PFs, but is probably little better than any packet filter. It is reminiscent of when HTTP first came and people had trouble with it because firewalls didn't support it. CERN came out with a "proxy". Well, all it did was allow HTTP traffic to pass from the inside to outside and back. There were no security features (and it was tens of thousands of lines of code). Of course, some services have no useful features that would make a real application gateway beneficial. When you see that a proxy is offered for a service but that all it is doing is, well, being a proxy, (like the plug-gw in the FWTK) the same service could be done as securely and faster with a SPF. Fred Fred At 08:28 PM 9/24/98 -0400, Stout, Bill wrote:
Having done my fair share of hand waving and whiteboarding about AG vs. SPF, I'm curious about something else. Generic Proxy security vs. SPF session security. Given a specific traffic session, ignoring the whole packet-level attack catagory: If the GXD simply reassembles segments to TCP windows and passes them on to the target, only using sequence numbers to keep track of the TCP session, would a SPF provide better validation of a session than a generic proxy? The security stack would be: AG SPF GXD Packet Filter Bill Stout
Current thread:
- GXD vs. SPF Stout, Bill (Sep 25)
- Re: GXD vs. SPF Paul D. Robertson (Sep 29)
- <Possible follow-ups>
- Re: GXD vs. SPF Ryan Russell (Sep 29)
- Re: GXD vs. SPF Frederick M Avolio (Sep 29)
- RE: GXD vs. SPF Stout, Bill (Sep 29)
- RE: GXD vs. SPF Ryan Russell (Sep 30)
- Re: GXD vs. SPF ark (Sep 30)