Re: GXD vs. SPF

[Frederick M Avolio <fred () avolio com>]

Bill,

This gets at what has been the heart of such discussions. Namely, the issue
is not what can be done, but what *is* done in a given (or some or most)
implementations.

Certainly, a SPF could be more secure than a GXD. If truly all a GXD does
is provide a proxy with no security, then it still can protect the inside
machines from some classes of attacks, and a GXD could add strong
authentication (unlike SPFs) or better logging than PFs, but is probably
little better than any packet filter.

It is reminiscent of when HTTP first came and people had trouble with it
because firewalls didn't support it. CERN came out with a "proxy". Well,
all it did was allow HTTP traffic to pass from the inside to outside and
back. There were no security features (and it was tens of thousands of
lines of code). 

Of course, some services have no useful features that would make a real
application gateway beneficial.  When you see that a proxy is offered for a
service but that all it is doing is, well, being a proxy, (like the plug-gw
in the FWTK) the same service could be done as securely and faster with a
SPF. 

Fred


Fred

At 08:28 PM 9/24/98 -0400, Stout, Bill wrote:
> Having done my fair share of hand waving and whiteboarding about AG vs. SPF,
> I'm curious about something else.  
>
> Generic Proxy security vs. SPF session security.
>
> Given a specific traffic session, ignoring the whole packet-level attack
> catagory: 
> If the GXD simply reassembles segments to TCP windows and passes them on to
> the target, only using sequence numbers to keep track of the TCP session,
> would a SPF provide better validation of a session than a generic proxy?
>
> The security stack would be:
>
> AG
> SPF
> GXD
> Packet Filter
>
> Bill Stout