Re: Proxy 2.0 secure? (AG vs. SPF)

["Ryan Russell" <ryanr () sybase com>]

I'm repeating myself a bit here because of some
lag in messages getting to list members, but...

I claim that any IP handling software that isn't part
of the OS, and hence isn't usable by the OS is
a type of SPF.

So, for example, if one believes that the exercise
of take a good IP stack and making it a standalone
application can be accomplished without introducing
significant bugs, then you have an excellent starting point.

I don't believe that SPFs have to be written as state machines.
The "state" in SPF comes from the fact that the big brothers
of traditional PFs keep "state" about previous packets..
not that they neccessarily use a state mechanism to do so.

Wouldn't having the IP stack not effectivly running as root
be an improvement?  Couldn't there be some useful security
information gleaned by not throwing away bits of information
that are tossed currently by the barrier between IP stack
and app logic that is the sockets API?

                         Ryan





Bennett Todd <bet () mordor net> on 07/07/98 08:56:32 AM

To:   Ryan Russell/SYBASE, tqbf () pobox com
cc:   firewall-wizards () nfr net
Subject:  Re: Proxy 2.0 secure? (AG vs. SPF)




1998-06-30-10:12:01 Ryan Russell:
> > --- but they have increased vulnerability to problems in other IP
stacks,
> > because they are allowing remote hosts to communicate directly with
those
> > stacks.
>
> I disagree with this assumption.  Current SPF implementations do this.
It
> doesn't mean someone couldn't write a better one.

In other words, you're banking your arguments about the superiority of
stateful packet filtering on the fantasy that someone will write an SPF
that
does fragment reassembly, options stripping, and all the other implicit
cleanup that's done by the IP stacks for application gateways.

Go for it. Maybe you're right; people have wasted the time and effort to
write
some amazingly awful dreck, and people contine to waste even more time and
effort attempting to run it; there are a lot of sick pups out there.

But I'll betcha that even if someone _does_ what you propose --- write an
entire IP stack, with application proxies and everything, as state
transition
rules for an SPF --- that the result will not be more secure than current
application gateway firewalls. Rather, you'll have a vastly more complex
implementation, which means more bug-ridden, and far harder to maintain and
enhance in the face of changing demands. That definitely sounds like a
market-leading product in today's market, I'll agree. I still won't use it.
And I won't expect it to be more secure.

-Bennett

Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998)) with SMTP id 8825663A.0056694C;
Tue, 7 Jul 1998 08:43:50 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
          by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
       id IAA18425 for <Ryan_Russell@tunnel-w>; Tue, 7 Jul 1998 08:41:04
-0700 (PDT)
Received: from halon.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
     id AA06147; Tue, 7 Jul 98 08:41:03 PDT
Received: from ritz.mordor.net (vmailer () mordor net [165.254.98.3])
          by halon.sybase.com (8.8.4/8.8.4) with ESMTP
       id IAA00970 for <ryanr () sybase com>; Tue, 7 Jul 1998 08:40:43 -0700
(PDT)
Received: by ritz.mordor.net (VMailer, from userid 1002)
     id 15A882A7D4; Tue,  7 Jul 1998 11:56:33 -0400 (EDT)
Message-Id: <19980707115632.A3063 () fcmc com>
Date: Tue, 7 Jul 1998 11:56:32 -0400
From: Bennett Todd <bet () mordor net>
To: Ryan Russell <ryanr () sybase com>, tqbf () pobox com
Cc: firewall-wizards () nfr net
Subject: Re: Proxy 2.0 secure? (AG vs. SPF)
References: <88256633.005A1EFC.00 () gwwest sybase com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.91.1
In-Reply-To: <88256633.005A1EFC.00 () gwwest sybase com>; from Ryan Russell on
Tue, Jun 30, 1998 at 10:12:01AM -0700