Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Evolution of Firewalls

From: "Patrick M. Hausen" <hausen () punkt de>
Date: Wed, 10 Mar 2004 08:47:02 +0100 (CET)
Hi all!


There is major difference: proxy does analysis and reconstructs data
stream from analysed data


The sad truth is that many proxies available today simply don't.
With the exception of HTTP and FTP most connections, I've come
across, are implemented as simple TCP plugs.

OTOH this still buys you something:

- You can't stealth scan a server protected by an ALG because
  the 3way handshake has to be completed on the outside before
  the proxy even thinks about initiating the second connection
  to the protected system. SPF permits the first SYN packet
  through.

- For similar reasons you can't play fragmentation games with
  a server protected by an ALG

- And even the neat "partial ACK" attack demonstrated by Michael
  Olsson (sp? Sorry if I got that wrong) a couple of months ago
  doesn't work with an ALG - _by_design_.

So IMHO, yes, there is a big difference and I'd prefer an ALG any time.
I can't think of _any_ policy decision or technical necessity that
would make SPF work better. Performance is not an issue any more
given todays hardware speeds. The only reason pro SPF I've ever
encountered was "The label on the box must read Checkpoint|Cisco,
because they are the market leader".

Regards,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: