Firewall Wizards mailing list archives
Re: Proxy 2.0 secure? (AG vs. SPF)
From: "Ryan Russell" <ryanr () sybase com>
Date: Mon, 29 Jun 1998 12:56:45 -0700
Hmm... so, during a discussion which, in part, involves buggy TCP/IP stack implementations, you're recommending an Application Gateway.
Yes, but I don't see what point you're making. Are you trying to insinuate that application gateways are somehow more vulnerable to IP stack problems than stateful filters? Perhaps you're making the assumption that AG firewalls ride on top of vendor IP stacks.
AGs are completely vulnerable to problems in the lower layers of IP stacks. SPFs have their own problems, and may or may not be vulnerable to IP stack implementation problems on the firewall machine, depending on implementation of the SPF. AG firewalls allways ride on someone's IP stack. You'd be more fortunate than most of it's not the original stack that came with the host OS, and was written byt someone who knew what they were doing.
Well, I'm convinced, proxying is ALWAYS better than SPF. :)
It is. By design. Stateful filtering is a performance hack.
While I don't claim to have as much insite into the intentions of SPF developers as you do, I do know that a good SPF implementation could stop many more attacks than an AG could. Take all of the screwing-with-the-frag-pointers attacks for example: an AG running on a stack with that bug will go down. A really good SPF implementation would catch that and drop the connection. The AG is dependent on the IP stack to behave. Note that I don't claim that any good SPF implementations exist on the market. It's a matter of how you like to do your firewall software. SPFs could do it all in one piece. AGs do it in at least two pieces, and if the AG comes with it's own IP stack, then the vendor has as much opportunity to get all the pieces right as the SPF vendor, with something close to the same amount of work. Ryan Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com (Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) with SMTP id 88256632.006C10C0; Mon, 29 Jun 1998 12:40:21 -0700 Received: from smtp1.sybase.com (smtp1 [130.214.220.35]) by tunnel.sybase.com (8.8.4/8.8.4) with SMTP id MAA28403 for <Ryan_Russell@tunnel-w>; Mon, 29 Jun 1998 12:37:46 -0700 (PDT) From: tqbf () pobox com Received: from inergen.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA10877; Mon, 29 Jun 98 12:37:46 PDT Received: from joshua.enteract.com (joshua.enteract.com [207.229.129.5]) by inergen.sybase.com (8.8.4/8.8.4) with SMTP id MAA02884 for <ryanr () sybase com>; Mon, 29 Jun 1998 12:39:07 -0700 (PDT) Received: (qmail 2476 invoked by uid 1004); 29 Jun 1998 19:37:43 -0000 Message-Id: <19980629193743.2475.qmail () joshua enteract com> Subject: Re: Proxy 2.0 secure? In-Reply-To: <88256632.0067EEB8.00 () gwwest sybase com> from Ryan Russell at "Jun 29, 98 11:59:16 am" To: ryanr () sybase com (Ryan Russell) Date: Mon, 29 Jun 1998 14:37:43 -0500 (CDT) Cc: tqbf () pobox com, firewall-wizards () nfr net Reply-To: tqbf () pobox com X-Mailer: ELM [version 2.4ME+ PL32 (25)] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit
Current thread:
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jun 29)
- Re: Proxy 2.0 secure? (AG vs. SPF) tqbf (Jun 30)
- <Possible follow-ups>
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jun 30)
- Re: Proxy 2.0 secure? (AG vs. SPF) tqbf (Jun 30)
- Re: Proxy 2.0 secure? (AG vs. SPF) Ryan Russell (Jun 30)