Re: GXD vs. SPF

["Ryan Russell" <ryanr () sybase com>]

I'll have to qualify my answers a bit :)

> Generic Proxy security vs. SPF session security.
>
> Given a specific traffic session, ignoring the whole packet-level attack
> catagory:

I wouldn't ignore packet-level attacks, I think that's the pertinant issue,
unless
I misunderstand what you mean by packet-level attack.

> If the GXD simply reassembles segments to TCP windows and passes them on
to
> the target, only using sequence numbers to keep track of the TCP session,
> would a SPF provide better validation of a session than a generic proxy?

If I assume that the SPF doesn't try to do something extra like filter HTTP
pieces, etc...  then the GXD will be better.  I don't know that validation
is the right
term, but the GXD will do better reformatting of the stream (the stream
itself,
not the data within the stream.)

Put it this way.. one of the things I've asked for in the past in my ideal
SPF is that it reassemble fragments, drop option bits (configurably,
of course) possibly buffer packets, perhaps making 2 packets into
1, etc.  In other words, the default behaviours you get with any simply
TCP relay across a host's IP stack.  For TCP, all of the "state" that
a FW-1 maintains is the same as what a regular IP stacks checks for for
all TCP connections.

I don't know enough details about it, but I think SOCKS is an example
of your GXD.

> The security stack would be:

> AG
> SPF
> GXD
> Packet Filter

If you want to consider SPFs that only pass or not pass a packet as-is
(with perhaps the exception of what's needed to do NAT) then reverse
SPF and GXD.  This is assuming least secure at the bottom, and
most secure at the top.

                              Ryan