Stateful Packet Filter (SPF) vs Application Layer Gateway (ALG)

[ICMan <shane () tor securecomputing com>]

Once again, the vicious fight between SPF and ALG proponents gets center 
stage.  I, ICMan, valiant knight of the ALG Legion, stride forth in my 
majesty to battle the evil hordes of SPF supporters.  ;-)

SPF is a cool, fast, efficient way to help protect a network.  SPF as an 
architecture allows you to do a lot of great things.  You can monitor 
connection state, you can inspect every piece and flag in every layer of a 
packet, you can even buffer data in chunks large enough to filter based on 
application information, such as certain commands, virus checking, even 
ActiveX and Java filtering.  It can cut through a tin can, and then 
perfectly slice tomatoes.  And when you have completed all the hairy 
development, spliced into the stacks of stock operating systems by 
replacing their libraries, and included a scripting language to allow users 
to program their own protocol checks, you have an amazing device.  You have 
an ALG running on a semi-hardened IP stack.

You do not even have an ALG running on a properly hardened OS.

And worse, you have tried to re-invent the wheel, duplicating most of what 
a properly debugged IP stack was created to do in the first place.  Manage 
connections using state information.  Digging into that kind of development 
opens the door to remaking all the mistakes made during development and 
testing of IP Stacks, which has lasted how long?  20 years or more? 
 Microsoft is making all the same mistakes in their IP implementation that 
BSD did 15 years ago, because they are not looking at all the work that has 
been done in that time; the bug fixes, the design changes, etc.  We all 
condemn M$ for this oversight, and brazenly declare that "NT is crap in the 
security arena.  We would never encourage a customer to use NT as the basis 
for a perimiter security device!"  So, why do we trust developers that 
don't trust the IP stacks that they use, and try to rewrite them from 
scratch?

That said, I come to the defense of SPFs in aid against my own vicious 
attack.  The reason for SPFs is so you DON'T HAVE to dig into the OS and 
mess with the stack, adding filters, checks, etc.  The IP stack of an OS is 
a very complicated animal, and the faint of heart should not even go near 
one.  Taking an SPF and tightening it down to the same security level of an 
ALG kills it's performance advantage.  SPF is not designed to be the 
perfect answer to security needs on a firewall.  ALGs are not designed to 
be the perfect security solution for a firewall.  ALGs are more secure, 
SPFs are faster and more flexible.  That is difference, and that should be 
foremost in your mind when determining the needs for your customers.

'nuff said!  ;-)

ICMan

PS.  It is my opinion that ALGs by themselves are more secure than SPFs, 
but that to really get a definate security boost, the OS needs to be 
hardened.  I don't mean hardened like one popular company with an SPF 
Firewall means hardened.  All they do to "harden" the OS is to turn off a 
bunch of services.  I mean HARDEN.  Get into the source for the kernel and 
either start debugging, or add additional protection measures.  Cell like 
division of processes, categorized into domains which have strictly 
enforced, limited access to other files and processes outside of their 
domain, etc.  DOD uses firewalls that have such Mandatory Access Control 
built into them.  If you are going to dig into the kernel of an OS, it 
makes sense to harden the stack rather than make a new one from scratch, so 
an ALG would be your logical choice of architecture.