Firewall Wizards mailing list archives
Re: GXD vs. SPF
From: "Paul D. Robertson" <proberts () clark net>
Date: Sat, 26 Sep 1998 15:50:59 -0400 (EDT)
On Thu, 24 Sep 1998, Stout, Bill wrote:
Having done my fair share of hand waving and whiteboarding about AG vs. SPF, I'm curious about something else. Generic Proxy security vs. SPF session security.
By "Generic Proxy", I assume you mean transport layer relay like plug-gw, Socks, etc.?
Given a specific traffic session, ignoring the whole packet-level attack catagory:
I'm not sure that ignoring the whole packet-level attack category is prudent, since packet filters have this as their downside in general, but also have the chance to do more detection there than is typically provided by a hardened bastion (though there were some interesting Linux kernel mods posted to Bugtraq that detected scans and presumably spoof attempts as well). If you ignore a class of attack then your model is going to be flawed in regards to attacks in general.
If the GXD simply reassembles segments to TCP windows and passes them on to the target, only using sequence numbers to keep track of the TCP session, would a SPF provide better validation of a session than a generic proxy?
I don't see how it could be "better" unless it was for UDP or the SPF (outside of the realm of the actual filtering) provided some sort of additional detection mechanism. The TCP state (no ACK) given by a plug-gw type program is as fool-proof as the state mechanism in say IPFilter or FW-1 in terms of "this packet goes to a valid conversation that we started". Perhaps moreso, since you get a reliability for fragment reassembly and behaviour than you would passing to multiple internal hosts of different types through a packet filter. I've not looked at SOCKS since V3, so I wouldn't know where to place that in an assessment.
The security stack would be: AG SPF GXD Packet Filter
I'd think that SPF and GXD would be at the same level, and have a different order in the heirarchy depending on what exactly one was attempting to protect, and the risks you had to assume with a particular architecture and potentail attack base. I can see times when one or the other would have particular advantages over the one placed below it. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- GXD vs. SPF Stout, Bill (Sep 25)
- Re: GXD vs. SPF Paul D. Robertson (Sep 29)
- <Possible follow-ups>
- Re: GXD vs. SPF Ryan Russell (Sep 29)
- Re: GXD vs. SPF Frederick M Avolio (Sep 29)
- RE: GXD vs. SPF Stout, Bill (Sep 29)
- RE: GXD vs. SPF Ryan Russell (Sep 30)
- Re: GXD vs. SPF ark (Sep 30)