Great Circle Associates Firewalls
(June 1997)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Stateful Packet Filters vs. Proxies
From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Date: 9 Jun 97 9:58:45 EDT
To: "Craig I. Hagan" <hagan @ cih . com>
Cc: firewalls <firewalls @ GreatCircle . COM>

Source-code review - You think that SPFs 
don't have source code?  Or do you take issues that
the two main SPF vendors (Checkpoint and Cisco)
don't provide source code for review?  

Black-box testing - Fw1 runs on a number of different
OSes, though with a portion that is OS-specific
in each case.  Becaus of their nature, SPFs have to
replace some portion of the host OS, and rely
less on the host OS than a proxy.  Some people
think this is a good thing, given the number of OS
problem out there.

I'm not sure what the point of your performance question is,
since that isn't a security question, but SPFs will 
perform better than proxyies, in general.

    Ryan

---------- Previous Message ----------
To: avalon
cc: Ryan.Russell, sjg, firewalls
From: hagan @
 cih .
 com ("Craig I. Hagan") @ smtp
Date: 06/09/97 11:07:14 AM
Subject: Re: Stateful Packet Filters vs. Proxies


agreed. if i may extend your point, it is also easier to verify a proxy
agent than it is an SPF as you have many more controls that you can use in
your experiment:

 * source code review
 * easier black box testing - you can move the proxy agent to
   through a set of known operating systems to reduce the amount
   of possible os contamination in your tests

my issues with SPFs aren't that they can't be secure, but, that they
are being mismarketed. i don't think that everyone needs maximal
security, but, people should understand the tradeoffs that they are making
when they choose technology A over B, e.g. choosing an SPF (or similar
strategy) over a proxy.

> And whilst "anything is possible", current SPF technology does not yet
> appear to have advanced far enough to allow them to work as universally
> well as proxies.

I would like to see what the cpu requirements would be to f/w a T3, 100mb
ethernet, and (where possible) 1gb ethernet connections using proxies on
following (optimially configured, of course): 

 * commercial unix hw+sw (e.g. sun, alpha +osf/1)
 * commercial unix sw + pc hw (e.g. stuff like solaris x86, bsdi)
 * commercial hw + PD unices (e.g.alpha+linux/*bsd;sun+linux/*bsd,etc)
 * pc hw, pd unix (pc+linux/*bsd, etc)

but, hey, that is wishful thinking on my part :)

-- craig

-------------------------------------------------------------------------------
Craig I. Hagan     "It's a small world, but I wouldn't want to back it up"
hagan @
 cih .
 com         "True hackers don't die, their ttl expires"
   "It takes a village to raise an idiot, but an idiot can raze a village"





Indexed By Date Previous: Re: Stateful Packet Filters vs. Proxies
From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Next: Re: Stateful Packet Filters vs. Proxies
From: "Craig I. Hagan" <hagan @ cih . com>
Indexed By Thread Previous: Re: Stateful Packet Filters vs. Proxies
From: Darren Reed <avalon @ coombs . anu . edu . au>
Next: Re: Stateful Packet Filters vs. Proxies
From: "Craig I. Hagan" <hagan @ cih . com>

Google
 
Search Internet Search www.greatcircle.com