Firewall Wizards mailing list archives
RE: GXD vs. SPF
From: "Ryan Russell" <ryanr () sybase com>
Date: Tue, 29 Sep 1998 16:51:48 -0700
Does the SPF function add (to session state monitoring) anything that natural TCP sessions states don't?
Not generic SPF, no. You get less actually. Very little of the SPF done in Firewall-1 touches the data stream. The HTTP SPF of the PIX looks like it might be heading in the right direction. FW-1 security servers aren't SPF, near as I can tell. To be complete, SPF adds pretty much automatic transparancy, but that's not a security feature, strictly speaking. FW-1 adds things like SYNDefender, but that's not strictly a generic SPF feature, though it's pretty easy to add.
I thought SPF did unless marketing technical material, and earlier posts about SPF discussed enhancements to the SPF function such as programatically added (data field pattern
matching)
filters.
The could, but typically don't.
The capability for enhancement could be argued as a natural feature of an architechture. That would explain the SPF/AG arguements.
I hope they head in that direction. AGs can add the same features just as easily, maybe easier.
If SPF is only equivalent to (not better than) TCP session state tracking, then SPF belongs in an AG firewall to add session state to UDP generic proxies.
There's very little to maintain state on in a UDP header. Many SPFs modify the source port to act as an index. There are problems with this. There is a specific bug with FW-1 handling UDP. AGs will maintain better "state" if they understand the protocol. Generic UDP SPFs don't do that good a job. A generic transport-level UDP relay would look an awful lot like a UDP SPF.
The SPF vs. AG firewall arguement is similar to NT vs. UNIX security; in UNIX you turn things on until you're comfortable, and in NT you turn
things
off or patch until you're comfortable.
Firewall-1 designers appear to start with the most generic SPF handler possible, and only add better handling when the protocol won't work otherwise, or some exploit is published. That's the wrong place for a firewall to be. (To be fair...my SPF information comes mostly from working with FW-1, and more limited work with the PIX. There are other SPF firewalls out there that I've never seen or touched, so they shouldn't be penalized by my statements. I tend to speak like I'm talking about all of them only because FW-1 is often considered to be "the" SPF firewall, and it sucks enough for all of them combined.) Ryan
Current thread:
- GXD vs. SPF Stout, Bill (Sep 25)
- Re: GXD vs. SPF Paul D. Robertson (Sep 29)
- <Possible follow-ups>
- Re: GXD vs. SPF Ryan Russell (Sep 29)
- Re: GXD vs. SPF Frederick M Avolio (Sep 29)
- RE: GXD vs. SPF Stout, Bill (Sep 29)
- RE: GXD vs. SPF Ryan Russell (Sep 30)
- Re: GXD vs. SPF ark (Sep 30)