Firewall Wizards mailing list archives
Re: Evolution of Firewalls
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Fri, 12 Mar 2004 01:24:41 +0100
Just a few nits here.. "Patrick M. Hausen" wrote:
OTOH this still buys you something: - You can't stealth scan a server protected by an ALG because the 3way handshake has to be completed on the outside before the proxy even thinks about initiating the second connection to the protected system. SPF permits the first SYN packet through.
There are SPFs that (can be configured to) do 3way handshakes with the client before sending a SYN to the server. I use this on my home fw to create the illusion of having every port below 1024 open. It attracts several full-blown port scans a month, and I'm sure the weenies are having a real hard time guessing which ports actually do something useful :)
- For similar reasons you can't play fragmentation games with a server protected by an ALG
... or an SPF that reassembles fragments before passing them on. Probably not even one that pseudo-reassembles fragments (queueing fragments up and sending them out in correct sequence, only if there are no overlaps etc)
- And even the neat "partial ACK" attack demonstrated by Michael Olsson (sp? Sorry if I got that wrong) a couple of months ago doesn't work with an ALG - _by_design_.
Actually, it won't work with an SPF either. Not one that only keeps state for layer 4 and down. It's when you think you can get away with cheating and grep for strings in raw TCP segments that things go down hill.
So IMHO, yes, there is a big difference and I'd prefer an ALG any time. I can't think of _any_ policy decision or technical necessity that would make SPF work better. Performance is not an issue any more given todays hardware speeds.
I can think of several, including, actually, performance. Not that they apply _everywhere_, but picking the right tool for a particular job is still far from a no-brainer. Having said that, my personal favorite setup is a mix of packet filters and ALGs, which, to my mind, gives the greatest freedom in applying extra security to segments that need it, and flexibility and performance to segments that need _that_. Oh, and separating machines running different ALGs into different security zones to keep holes in one ALG from affecting everything else. Remember that if an ALG is good enough to actually do something meaningful to your data stream, it is likely to be made up of quite a sizable chunk of code, and code is written by humans, and humans make mistakes, regardless of whether they're writing code for a firewall, desktop or server. /Mike, crawling back under his rock -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Evolution of Firewalls skpoo (Mar 07)
- <Possible follow-ups>
- Re: Evolution of Firewalls Frederick M Avolio (Mar 07)
- Re: Evolution of Firewalls Dave Piscitello (Mar 08)
- Re: Evolution of Firewalls Frederick M Avolio (Mar 08)
- Re: Evolution of Firewalls Dave Piscitello (Mar 09)
- Re: Evolution of Firewalls Frederick M Avolio (Mar 09)
- Re: Evolution of Firewalls Christian Kreibich (Mar 11)
- Re: Evolution of Firewalls Dave Piscitello (Mar 08)
- Re: Evolution of Firewalls ArkanoiD (Mar 09)
- Re: Evolution of Firewalls Patrick M. Hausen (Mar 11)
- Re: Evolution of Firewalls Mikael Olsson (Mar 11)
- Message not available
- Re: Evolution of Firewalls ArkanoiD (Mar 11)
- vpn end-point Shimon Silberschlag (Mar 18)
- Re: Evolution of Firewalls Marcus J. Ranum (Mar 09)
- Re: Evolution of Firewalls Devdas Bhagat (Mar 11)
- Re: Evolution of Firewalls Marcus J. Ranum (Mar 12)
- Re: Evolution of Firewalls ArkanoiD (Mar 18)
- Re: Evolution of Firewalls Marcus J. Ranum (Mar 18)