Proxy 2.0 secure? (AG vs. SPF)

Ryan Russell ryanr@sybase.com
Mon, 29 Jun 1998 12:56:45 -0700




>> Hmm... so, during a discussion which, in part, involves
>> buggy TCP/IP stack implementations, you're recommending
>> an Application Gateway.

>Yes, but I don't see what point you're making. Are you trying to insinuate
>that application gateways are somehow more vulnerable to IP stack problems
>than stateful filters? Perhaps you're making the assumption that AG
>firewalls ride on top of vendor IP stacks.

AGs are completely vulnerable to problems in the lower layers
of IP stacks.  SPFs have their own problems, and may or may not be
vulnerable to IP stack implementation problems on the firewall machine,
depending on implementation of the SPF.  AG firewalls allways ride on
someone's IP stack.  You'd be more fortunate than most of it's
not the original stack that came with the host OS, and was written
byt someone who knew what they were doing.

>> Well, I'm convinced, proxying is ALWAYS better than
>> SPF. :)

>It is. By design. Stateful filtering is a performance hack.

While I don't claim to have as much insite into the intentions
of SPF developers as you do, I do know that a good SPF
implementation could stop many more attacks than an AG
could.  Take all of the screwing-with-the-frag-pointers attacks
for example:  an AG running on a stack with that bug will go
down.  A really good SPF implementation would catch that
and drop the connection.  The AG is dependent on the IP stack
to behave.

Note that I don't claim that any good SPF implementations exist
on the market.

It's a matter of how you like to do your firewall software.  SPFs could
do it all in one piece.  AGs do it in at least two pieces, and if the
AG comes with it's own IP stack, then the vendor has as much
opportunity to get all the pieces right as the SPF vendor, with
something close to the same amount of work.

                    Ryan


Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998)) with SMTP id 88256632.006C10C0;
Mon, 29 Jun 1998 12:40:21 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
          by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
       id MAA28403 for <Ryan_Russell@tunnel-w>; Mon, 29 Jun 1998 12:37:46
-0700 (PDT)
From: tqbf@pobox.com
Received: from inergen.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
     id AA10877; Mon, 29 Jun 98 12:37:46 PDT
Received: from joshua.enteract.com (joshua.enteract.com [207.229.129.5])
          by inergen.sybase.com (8.8.4/8.8.4) with SMTP
       id MAA02884 for <ryanr@sybase.com>; Mon, 29 Jun 1998 12:39:07 -0700
(PDT)
Received: (qmail 2476 invoked by uid 1004); 29 Jun 1998 19:37:43 -0000
Message-Id: <19980629193743.2475.qmail@joshua.enteract.com>
Subject: Re: Proxy 2.0 secure?
In-Reply-To: <88256632.0067EEB8.00@gwwest.sybase.com> from Ryan Russell at
"Jun 29, 98 11:59:16 am"
To: ryanr@sybase.com (Ryan Russell)
Date: Mon, 29 Jun 1998 14:37:43 -0500 (CDT)
Cc: tqbf@pobox.com, firewall-wizards@nfr.net
Reply-To: tqbf@pobox.com
X-Mailer: ELM [version 2.4ME+ PL32 (25)]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit