Re: Proxy 2.0 secure? (AG vs. SPF)

["Ryan Russell" <ryanr () sybase com>]

Well THAT'S helpful :)

Seriously though, some name is needed if people
are to discuss such a beast.  If I may write down
what I think you're definitions are:

PF - Forwards packets (or not) without modification
based on information in the current packet only.

SPF - Forwards packets (or not) without modification
based on information in the current packet, or
previous packets that appear to be related to this one.

Fair?

So, there's some other beast that I've been talking
about that does more than an SPF, and might
even be as much as an AG depending on how
it's implemented.

The only device that I know of that implements
the type of SPF you define is possible reflexive
access lists in Cisco IOS.  That's only been available
for a handful of months.

Is that the device you were speaking of when you said
something to the effect of AGs are always more secure
than SPFs?  If so... heck, I guess you're right.

So now I have to come up with some other acronym
instead of SPF?  I have been purposly using that
as an alternative to SMLI.

                    Ryan






tqbf () pobox com on 07/09/98 12:44:54 PM

Please respond to tqbf () pobox com

To:   Ryan Russell/SYBASE
cc:   tqbf () pobox com, firewall-wizards () nfr net
Subject:  Re: Proxy 2.0 secure? (AG vs. SPF)




> Leaving alone the parts of FW-1 that actually are
> traditional proxy code, what do we call the parts
> that can modify packets on the way through
> if not PF or SPF?

Something else.

---------------------------------------------------------------------------
--
Thomas H. Ptacek                       SNI Labs, Network Associates, Inc.
---------------------------------------------------------------------------
--
http://www.pobox.com/~tqbf     "If you're so special, why aren't you dead?"