Firewalls: Re: Stateful Packet Screens

Firewalls
(July 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Stateful Packet Screens
From:	Darren Reed <avalon @ coombs . anu . edu . au>
Date:	Mon, 1 Jul 1996 23:58:17 +1000 (EST)
To:	peter @ baileynm . com (Peter da Silva)
Cc:	shaver @ neon . ingenia . ca, Firewalls @ GreatCircle . COM (Firewalls Mailing List)
In-reply-to:	<9607011337 . AA04872 @ sonic . nmti . com . nmti . com> from "Peter da Silva" at Jul 1, 96 08:37:28 am

In some mail from Peter da Silva, sie said:
> 
> > As Darren pointed out, it's possible to do everything an AG does with
> > an SPS, and vice versa.
> 
> However, in practical terms, you can't get a stateful packet filter that
> will do all the stuff even the simplest application level gateways do as
> a matter of course, and for a simple configuration it's much easier to
> get the existing ALGs configured right than the existing SPFs.

The simplest application gateways just forward data, in sequence.
I class things like "tcp-relay", etc, as AG's.  Even plug-gw isn't that
complicated, compared to, say, ftp-gw.

> In theory, you and Darren are correct. In practice, existing implementations
> do fall into clumps with user convenience and performance being highest for
> packet filters, and administrative convenience and security being highest
> for proxies.

Time permitting, I'll make you eat those words.

References:

Re: Stateful Packet Screens
From: peter @ baileynm . com (Peter da Silva)

Indexed By Date	Previous:	Re: NT Backoffice "Catapult" firewall certified? From: peter @ baileynm . com (Peter da Silva)
Indexed By Date	Next:	Re: NCSA Certification From: CMH @ Interramp . com (Corey M. Horowitz)
Indexed By Thread	Previous:	Re: Stateful Packet Screens From: peter @ baileynm . com (Peter da Silva)
Indexed By Thread	Next:	Re: Stateful Packet Screens From: Ryan.Russell/SYBASE