Re: [fw-wiz] Evolution of Firewalls
From: Mikael Olsson (mikael.olsson_at_clavister.com)
To: "Patrick M. Hausen" <firstname.lastname@example.org> Date: Fri, 12 Mar 2004 01:24:41 +0100
Just a few nits here..
"Patrick M. Hausen" wrote:
> OTOH this still buys you something:
> - You can't stealth scan a server protected by an ALG because
> the 3way handshake has to be completed on the outside before
> the proxy even thinks about initiating the second connection
> to the protected system. SPF permits the first SYN packet
There are SPFs that (can be configured to) do 3way handshakes
with the client before sending a SYN to the server.
I use this on my home fw to create the illusion of having every
port below 1024 open. It attracts several full-blown port
scans a month, and I'm sure the weenies are having a real
hard time guessing which ports actually do something useful :)
> - For similar reasons you can't play fragmentation games with
> a server protected by an ALG
... or an SPF that reassembles fragments before passing
them on. Probably not even one that pseudo-reassembles
fragments (queueing fragments up and sending them out
in correct sequence, only if there are no overlaps etc)
> - And even the neat "partial ACK" attack demonstrated by Michael
> Olsson (sp? Sorry if I got that wrong) a couple of months ago
> doesn't work with an ALG - _by_design_.
Actually, it won't work with an SPF either. Not one that only
keeps state for layer 4 and down. It's when you think you can get
away with cheating and grep for strings in raw TCP segments that
things go down hill.
> So IMHO, yes, there is a big difference and I'd prefer an ALG any time.
> I can't think of _any_ policy decision or technical necessity that
> would make SPF work better. Performance is not an issue any more
> given todays hardware speeds.
I can think of several, including, actually, performance. Not that
they apply _everywhere_, but picking the right tool for a particular
job is still far from a no-brainer.
Having said that, my personal favorite setup is a mix of packet filters
and ALGs, which, to my mind, gives the greatest freedom in applying
extra security to segments that need it, and flexibility and
performance to segments that need _that_. Oh, and separating machines
running different ALGs into different security zones to keep holes in
one ALG from affecting everything else. Remember that if an ALG is
good enough to actually do something meaningful to your data stream,
it is likely to be made up of quite a sizable chunk of code, and code
is written by humans, and humans make mistakes, regardless of whether
they're writing code for a firewall, desktop or server.
/Mike, crawling back under his rock
-- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards