Firewall Wizards mailing list archives
Re: Evolution of Firewalls
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Wed, 10 Mar 2004 08:47:02 +0100 (CET)
Hi all!
There is major difference: proxy does analysis and reconstructs data stream from analysed data
The sad truth is that many proxies available today simply don't. With the exception of HTTP and FTP most connections, I've come across, are implemented as simple TCP plugs. OTOH this still buys you something: - You can't stealth scan a server protected by an ALG because the 3way handshake has to be completed on the outside before the proxy even thinks about initiating the second connection to the protected system. SPF permits the first SYN packet through. - For similar reasons you can't play fragmentation games with a server protected by an ALG - And even the neat "partial ACK" attack demonstrated by Michael Olsson (sp? Sorry if I got that wrong) a couple of months ago doesn't work with an ALG - _by_design_. So IMHO, yes, there is a big difference and I'd prefer an ALG any time. I can't think of _any_ policy decision or technical necessity that would make SPF work better. Performance is not an issue any more given todays hardware speeds. The only reason pro SPF I've ever encountered was "The label on the box must read Checkpoint|Cisco, because they are the market leader". Regards, Patrick M. Hausen Leiter Netzwerke und Sicherheit -- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Evolution of Firewalls skpoo (Mar 07)
- <Possible follow-ups>
- Re: Evolution of Firewalls Frederick M Avolio (Mar 07)
- Re: Evolution of Firewalls Dave Piscitello (Mar 08)
- Re: Evolution of Firewalls Frederick M Avolio (Mar 08)
- Re: Evolution of Firewalls Dave Piscitello (Mar 09)
- Re: Evolution of Firewalls Frederick M Avolio (Mar 09)
- Re: Evolution of Firewalls Christian Kreibich (Mar 11)
- Re: Evolution of Firewalls Dave Piscitello (Mar 08)
- Re: Evolution of Firewalls ArkanoiD (Mar 09)
- Re: Evolution of Firewalls Patrick M. Hausen (Mar 11)
- Re: Evolution of Firewalls Mikael Olsson (Mar 11)
- Message not available
- Re: Evolution of Firewalls ArkanoiD (Mar 11)
- vpn end-point Shimon Silberschlag (Mar 18)
- Re: Evolution of Firewalls Marcus J. Ranum (Mar 09)
- Re: Evolution of Firewalls Devdas Bhagat (Mar 11)
- Re: Evolution of Firewalls Marcus J. Ranum (Mar 12)
- Re: Evolution of Firewalls ArkanoiD (Mar 18)
- Re: Evolution of Firewalls Marcus J. Ranum (Mar 18)