Firewalls: Re: Stateful Packet Screens

Firewalls
(July 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Stateful Packet Screens
From:	peter @ baileynm . com (Peter da Silva)
Date:	Mon, 1 Jul 1996 08:37:28 -0500 (CDT)
To:	shaver @ neon . ingenia . ca (Mike Shaver)
Cc:	avalon @ coombs . anu . edu . au, chris @ dejong . com, Firewalls @ GreatCircle . COM
In-reply-to:	<199606302141 . RAA31883 @ neon . ingenia . com> from "Mike Shaver" at Jun 30, 96 05:41:40 pm

> As Darren pointed out, it's possible to do everything an AG does with
> an SPS, and vice versa.

However, in practical terms, you can't get a stateful packet filter that
will do all the stuff even the simplest application level gateways do as
a matter of course, and for a simple configuration it's much easier to
get the existing ALGs configured right than the existing SPFs.

In theory, you and Darren are correct. In practice, existing implementations
do fall into clumps with user convenience and performance being highest for
packet filters, and administrative convenience and security being highest
for proxies.

Follow-Ups:

Re: Stateful Packet Screens
From: Darren Reed <avalon @ coombs . anu . edu . au>

Indexed By Date	Previous:	Re: Hardware requirements of Firewall-1 From: Rick Romkey <pokey @ maddie . atlantic . com>
Indexed By Date	Next:	Re: NT Backoffice "Catapult" firewall certified? From: peter @ baileynm . com (Peter da Silva)
Indexed By Thread	Previous:	Re: Hardware requirements of Firewall-1 From: security @ qualix . com (Nik I. Knoth)
Indexed By Thread	Next:	Re: Stateful Packet Screens From: Darren Reed <avalon @ coombs . anu . edu . au>