In some mail from Chris Tyler, sie said:
> Practically, only Stateful Packet Screens can:
> - Detect and block port scans (SATAN et al). AG's don't do this well
> because each AG only watches specific ports, but an SPS watches all
> traffic across all ports to a subnet and can detect specific signature
> usage patterns.
This can be done by programs built on things like BPF/NIT/DLPI.
> - Quickly eliminate a first layer of crud from reaching the network
> (source routing, spoofing, etc).
> Practically, only Application Gateways can:
> - Enforce complex rules based on the contents of the data stream
> (actual commands being passed in an FTP session, or the the presence
> of a binary attachment in mail).
> - Return an advanced, service-dependent response to the remote
> end, such as an FTP or HTTP error message. SPS's can generally only
> drop packets, drop connections, or send ICMP errors.
> - Provide strong authentication.
The above (and some of the below) are implementation details, nothing more.
I'm sure if you spent enough time and money you could do either with
everything you've listed here.
> In addition, SPSs:
> - Can run with a very small Kernal image (full operating system
> functionality is not required).
What about if you want to log things ?
> - Can use a very small amount of code to control packets to/from all
> services. This small code base is probably easier to audit than a
> number of AGs.
Not if they use a common code base.
In my experience, it isn't the control code which is hard, but the code
which does the matching and deciding, "do I want to allow this or not ?"
> - Generally require less work than an AG to set up a new service.
Yes & no. It doesn't take much effort to use plug-gw, but if you want
to setup a proper FTP transparent proxy, you could have a hard time.
Writing a proxy is a trivial exercise; writing SPS code is not.
> - Require configuration expertise (the screening rules are key).
You shouldn't be taking any less effort with an AG. The main difference
is that you've a greater chance of "failing safe" with an AG than with a
SPS, if you stuff up the access control rules.
> - Can generally sling packets faster than AG's.
No, they forward them, in most cases, with less delay.
> And AGs:
> - Require programming expertise (programming is key).
No more so than SPS.
The key differences are:
* it is hard to achieve the same performance throughput with AG's as SPS's
* it is hard to achieve the same level of security as AG's with SPS's
* it is hard to achieve the same flexibility of either with the other