Re: [fw-wiz] Evolution of Firewalls

From: Mikael Olsson (
Date: 03/12/04

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Evolution of Firewalls"
    To: "Patrick M. Hausen" <>
    Date: Fri, 12 Mar 2004 01:24:41 +0100

    Just a few nits here..

    "Patrick M. Hausen" wrote:
    > OTOH this still buys you something:
    > - You can't stealth scan a server protected by an ALG because
    > the 3way handshake has to be completed on the outside before
    > the proxy even thinks about initiating the second connection
    > to the protected system. SPF permits the first SYN packet
    > through.

    There are SPFs that (can be configured to) do 3way handshakes
    with the client before sending a SYN to the server.

    I use this on my home fw to create the illusion of having every
    port below 1024 open. It attracts several full-blown port
    scans a month, and I'm sure the weenies are having a real
    hard time guessing which ports actually do something useful :)

    > - For similar reasons you can't play fragmentation games with
    > a server protected by an ALG

    ... or an SPF that reassembles fragments before passing
    them on. Probably not even one that pseudo-reassembles
    fragments (queueing fragments up and sending them out
    in correct sequence, only if there are no overlaps etc)

    > - And even the neat "partial ACK" attack demonstrated by Michael
    > Olsson (sp? Sorry if I got that wrong) a couple of months ago
    > doesn't work with an ALG - _by_design_.

    Actually, it won't work with an SPF either. Not one that only
    keeps state for layer 4 and down. It's when you think you can get
    away with cheating and grep for strings in raw TCP segments that
    things go down hill.

    > So IMHO, yes, there is a big difference and I'd prefer an ALG any time.
    > I can't think of _any_ policy decision or technical necessity that
    > would make SPF work better. Performance is not an issue any more
    > given todays hardware speeds.

    I can think of several, including, actually, performance. Not that
    they apply _everywhere_, but picking the right tool for a particular
    job is still far from a no-brainer.

    Having said that, my personal favorite setup is a mix of packet filters
    and ALGs, which, to my mind, gives the greatest freedom in applying
    extra security to segments that need it, and flexibility and
    performance to segments that need _that_. Oh, and separating machines
    running different ALGs into different security zones to keep holes in
    one ALG from affecting everything else. Remember that if an ALG is
    good enough to actually do something meaningful to your data stream,
    it is likely to be made up of quite a sizable chunk of code, and code
    is written by humans, and humans make mistakes, regardless of whether
    they're writing code for a firewall, desktop or server.

    /Mike, crawling back under his rock

    Mikael Olsson, Clavister AB
    Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
    Fax: +46 (0)660 122 50       WWW:
    firewall-wizards mailing list

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Evolution of Firewalls"

    Relevant Pages