Re: [fw-wiz] Evolution of Firewalls
From: Patrick M. Hausen (hausen_at_punkt.de)
To: email@example.com Date: Wed, 10 Mar 2004 08:47:02 +0100 (CET)
> There is major difference: proxy does analysis and reconstructs data
> stream from analysed data
The sad truth is that many proxies available today simply don't.
With the exception of HTTP and FTP most connections, I've come
across, are implemented as simple TCP plugs.
OTOH this still buys you something:
- You can't stealth scan a server protected by an ALG because
the 3way handshake has to be completed on the outside before
the proxy even thinks about initiating the second connection
to the protected system. SPF permits the first SYN packet
- For similar reasons you can't play fragmentation games with
a server protected by an ALG
- And even the neat "partial ACK" attack demonstrated by Michael
Olsson (sp? Sorry if I got that wrong) a couple of months ago
doesn't work with an ALG - _by_design_.
So IMHO, yes, there is a big difference and I'd prefer an ALG any time.
I can't think of _any_ policy decision or technical necessity that
would make SPF work better. Performance is not an issue any more
given todays hardware speeds. The only reason pro SPF I've ever
encountered was "The label on the box must read Checkpoint|Cisco,
because they are the market leader".
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards