Re: [fw-wiz] Evolution of Firewalls

From: Patrick M. Hausen (
Date: 03/10/04

  • Next message: ArkanoiD: "Re: [fw-wiz] Evolution of Firewalls"
    Date: Wed, 10 Mar 2004 08:47:02 +0100 (CET)

    Hi all!

    > There is major difference: proxy does analysis and reconstructs data
    > stream from analysed data

    The sad truth is that many proxies available today simply don't.
    With the exception of HTTP and FTP most connections, I've come
    across, are implemented as simple TCP plugs.

    OTOH this still buys you something:

    - You can't stealth scan a server protected by an ALG because
      the 3way handshake has to be completed on the outside before
      the proxy even thinks about initiating the second connection
      to the protected system. SPF permits the first SYN packet

    - For similar reasons you can't play fragmentation games with
      a server protected by an ALG

    - And even the neat "partial ACK" attack demonstrated by Michael
      Olsson (sp? Sorry if I got that wrong) a couple of months ago
      doesn't work with an ALG - _by_design_.

    So IMHO, yes, there is a big difference and I'd prefer an ALG any time.
    I can't think of _any_ policy decision or technical necessity that
    would make SPF work better. Performance is not an issue any more
    given todays hardware speeds. The only reason pro SPF I've ever
    encountered was "The label on the box must read Checkpoint|Cisco,
    because they are the market leader".


    Patrick M. Hausen
    Leiter Netzwerke und Sicherheit

    -- GmbH         Internet - Dienstleistungen - Beratung
    Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe
    firewall-wizards mailing list

  • Next message: ArkanoiD: "Re: [fw-wiz] Evolution of Firewalls"

    Relevant Pages