Firewall Wizards mailing list archives
RE: GXD vs. SPF
From: "Paul D. Robertson" <proberts () clark net>
Date: Wed, 30 Sep 1998 09:56:43 -0400 (EDT)
On Tue, 29 Sep 1998, Ryan Russell wrote:
Firewall-1 designers appear to start with the most generic SPF handler possible, and only add better handling when the protocol won't work otherwise, or some exploit is published. That's the wrong place for a firewall to be.
The worst thing I see about this model is that it doesn't reliably give you an index to how much protection you're getting from the firewall. Initially you didn't even get UDP state, then someone pointed out that it couldn't be a stateful packet filter if it didn't keep UDP state and that was fixed. Now you don't get ICMP state. Then if you start delving into application protocols, you may or may not get additional state information that has something to do with the protocol itself. It should be pointed out that the proxy server folks have done things like a "reference" proxy put out by someone that looked for about a four character string in the datastream to decide if the traffic was ok. Whee! Maybe it's just me, but I still fail to see the security stance of someone who allows more than about four protocols. Tunneling over SMTP, HTTP, and DNS are pretty difficult to detect as is, but at least most of it's trendable with statistics from common gateways. How the heck do you figure out a tunnel over half a gazillion protocols and still feel a measure of protection? Was I asleep in that part of the sales pitch? My users have been telling me for years how much not having cute-video-chat-coke-or-pepsi-taste-testing protocol #6 will severely impact their daily jobs. Funnily enough we've had some of our most profitable quarters in that time period without it. Maybe I should go around and test to see if all my cat 5 and type 1 is Y2k compliant, I keep feeling pretty far out of it. I'm still trying to figure out if we can just get them all WebTV, stick them in a tuner "sandbox" and go home. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- RE: GXD vs. SPF Paul D. Robertson (Oct 01)
- RE: GXD vs. SPF Frederick M Avolio (Oct 01)
- <Possible follow-ups>
- RE: GXD vs. SPF Hines Dennis (Oct 02)
- Re: GXD vs. SPF Joseph S. D. Yao (Oct 05)
- RE: GXD vs. SPF Paul D. Robertson (Oct 05)