Firewall Wizards mailing list archives
Stateful Packet Filter (SPF) vs Application Layer Gateway (ALG)
From: ICMan <shane () tor securecomputing com>
Date: Fri, 3 Jul 1998 11:46:26 -0400
Once again, the vicious fight between SPF and ALG proponents gets center stage. I, ICMan, valiant knight of the ALG Legion, stride forth in my majesty to battle the evil hordes of SPF supporters. ;-) SPF is a cool, fast, efficient way to help protect a network. SPF as an architecture allows you to do a lot of great things. You can monitor connection state, you can inspect every piece and flag in every layer of a packet, you can even buffer data in chunks large enough to filter based on application information, such as certain commands, virus checking, even ActiveX and Java filtering. It can cut through a tin can, and then perfectly slice tomatoes. And when you have completed all the hairy development, spliced into the stacks of stock operating systems by replacing their libraries, and included a scripting language to allow users to program their own protocol checks, you have an amazing device. You have an ALG running on a semi-hardened IP stack. You do not even have an ALG running on a properly hardened OS. And worse, you have tried to re-invent the wheel, duplicating most of what a properly debugged IP stack was created to do in the first place. Manage connections using state information. Digging into that kind of development opens the door to remaking all the mistakes made during development and testing of IP Stacks, which has lasted how long? 20 years or more? Microsoft is making all the same mistakes in their IP implementation that BSD did 15 years ago, because they are not looking at all the work that has been done in that time; the bug fixes, the design changes, etc. We all condemn M$ for this oversight, and brazenly declare that "NT is crap in the security arena. We would never encourage a customer to use NT as the basis for a perimiter security device!" So, why do we trust developers that don't trust the IP stacks that they use, and try to rewrite them from scratch? That said, I come to the defense of SPFs in aid against my own vicious attack. The reason for SPFs is so you DON'T HAVE to dig into the OS and mess with the stack, adding filters, checks, etc. The IP stack of an OS is a very complicated animal, and the faint of heart should not even go near one. Taking an SPF and tightening it down to the same security level of an ALG kills it's performance advantage. SPF is not designed to be the perfect answer to security needs on a firewall. ALGs are not designed to be the perfect security solution for a firewall. ALGs are more secure, SPFs are faster and more flexible. That is difference, and that should be foremost in your mind when determining the needs for your customers. 'nuff said! ;-) ICMan PS. It is my opinion that ALGs by themselves are more secure than SPFs, but that to really get a definate security boost, the OS needs to be hardened. I don't mean hardened like one popular company with an SPF Firewall means hardened. All they do to "harden" the OS is to turn off a bunch of services. I mean HARDEN. Get into the source for the kernel and either start debugging, or add additional protection measures. Cell like division of processes, categorized into domains which have strictly enforced, limited access to other files and processes outside of their domain, etc. DOD uses firewalls that have such Mandatory Access Control built into them. If you are going to dig into the kernel of an OS, it makes sense to harden the stack rather than make a new one from scratch, so an ALG would be your logical choice of architecture.
Current thread:
- Stateful Packet Filter (SPF) vs Application Layer Gateway (ALG) ICMan (Jul 03)