Firewall Wizards mailing list archives

Re: GXD vs. SPF

From: "Paul D. Robertson" <proberts () clark net>
Date: Sat, 26 Sep 1998 15:50:59 -0400 (EDT)

On Thu, 24 Sep 1998, Stout, Bill wrote:

Having done my fair share of hand waving and whiteboarding about AG vs. SPF,
I'm curious about something else.  

Generic Proxy security vs. SPF session security.


By "Generic Proxy", I assume you mean transport layer relay like plug-gw, 
Socks, etc.?

Given a specific traffic session, ignoring the whole packet-level attack
catagory:


I'm not sure that ignoring the whole packet-level attack category is prudent,
since packet filters have this as their downside in general, but also 
have the chance to do more detection there than is typically provided by 
a hardened bastion (though there were some interesting Linux kernel mods 
posted to Bugtraq that detected scans and presumably spoof attempts as 
well).

If you ignore a class of attack then your model is going to be flawed in 
regards to attacks in general.

If the GXD simply reassembles segments to TCP windows and passes them on to
the target, only using sequence numbers to keep track of the TCP session,
would a SPF provide better validation of a session than a generic proxy?


I don't see how it could be "better" unless it was for UDP or the SPF 
(outside of the realm of the actual filtering) provided some sort of 
additional detection mechanism.  The TCP state (no ACK) given by a 
plug-gw type program is as fool-proof as the state mechanism in say 
IPFilter or FW-1 in terms of "this packet goes to a valid conversation 
that we started".  Perhaps moreso, since you get a reliability for 
fragment reassembly and behaviour than you would passing to multiple 
internal hosts of different types through a packet filter.  I've not 
looked at SOCKS since V3, so I wouldn't know where to place that in an 
assessment.

The security stack would be:

AG
SPF
GXD
Packet Filter


I'd think that SPF and GXD would be at the same level, and have a 
different order in the heirarchy depending on what exactly one was 
attempting to protect, and the risks you had to assume with a particular 
architecture and potentail attack base.  I can see times when one or the 
other would have particular advantages over the one placed below it.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

Current thread:

GXD vs. SPF Stout, Bill (Sep 25)
- Re: GXD vs. SPF Paul D. Robertson (Sep 29)
- <Possible follow-ups>
- Re: GXD vs. SPF Ryan Russell (Sep 29)
- Re: GXD vs. SPF Frederick M Avolio (Sep 29)
- RE: GXD vs. SPF Stout, Bill (Sep 29)
- RE: GXD vs. SPF Ryan Russell (Sep 30)
- Re: GXD vs. SPF ark (Sep 30)