Firewall Wizards mailing list archives

RE: GXD vs. SPF

From: "Ryan Russell" <ryanr () sybase com>
Date: Tue, 29 Sep 1998 16:51:48 -0700

Does the SPF function add (to session state monitoring) anything that
natural TCP sessions states don't?


Not generic SPF, no.  You get less actually.  Very little of the SPF done
in Firewall-1 touches the data stream.  The HTTP SPF of the PIX looks
like it might be heading in the right direction.  FW-1 security servers
aren't SPF, near as I can tell.  To be complete, SPF adds pretty much
automatic
transparancy, but that's not a security feature, strictly speaking.  FW-1
adds
things like SYNDefender, but that's not strictly a generic SPF feature,
though it's pretty easy to add.

I thought SPF did unless marketing
technical material, and earlier posts about SPF discussed enhancements to
the SPF function such as programatically added (data field pattern

matching)

filters.


The could, but typically don't.

The capability for enhancement could be argued as a natural
feature of an architechture.  That would explain the SPF/AG arguements.


I hope they head in that direction.  AGs can add the same features
just as easily, maybe easier.

If SPF is only equivalent to (not better than) TCP session state tracking,
then SPF belongs in an AG firewall to add session state to UDP generic
proxies.


There's very little to maintain state on in a UDP header.  Many SPFs
modify the source port to act as an index.  There are problems
with this.  There is a specific bug with FW-1 handling UDP.  AGs will
maintain better "state" if they understand the protocol.  Generic
UDP SPFs don't do that good a job.  A generic transport-level UDP relay
would look an awful lot like a UDP SPF.

The SPF vs. AG firewall arguement is similar to NT vs. UNIX security; in
UNIX you turn things on until you're comfortable, and in NT you turn

things

off or patch until you're comfortable.


Firewall-1 designers appear to start with the most generic SPF handler
possible, and only add better handling when the protocol won't
work otherwise, or some exploit is published.  That's the wrong place
for a firewall to be.

(To be fair...my SPF information comes mostly from working with FW-1,

and more limited work with the PIX.  There are other SPF firewalls out
      there

that I've never seen or touched, so they shouldn't be penalized by

my statements.  I tend to speak like I'm talking about all of them

only because FW-1 is often considered to be "the" SPF firewall,

and it sucks enough for all of them combined.)



                              Ryan

Current thread:

GXD vs. SPF Stout, Bill (Sep 25)
- Re: GXD vs. SPF Paul D. Robertson (Sep 29)
- <Possible follow-ups>
- Re: GXD vs. SPF Ryan Russell (Sep 29)
- Re: GXD vs. SPF Frederick M Avolio (Sep 29)
- RE: GXD vs. SPF Stout, Bill (Sep 29)
- RE: GXD vs. SPF Ryan Russell (Sep 30)
- Re: GXD vs. SPF ark (Sep 30)