I would not disagree that ALGs would probably allow
one to more easily filter stuff in the datastream (i.e. yank
out stuff between the <script> </script> tags.) This is because
, by their nature, many of them store a signifcant portion of the document
on it's way through, and hence, would make it easier to run through
some script on the proxy server. This would also be why they would
tend to be slower. Please correct me if I'm wrong, I'm no proxy
expert. I've only used CERN and Socks proxies. And I didn't
administer them. I suppose the upshot would be that web proxies
could cache today's Dilbert if you wanted.
I agree that you could probably do the same with the SPFs on the
market today, but I wouldn't want to try.
I'm not sure about the security point.... If your assumption is that
being able to parse datastreams makes for better security, I suppose
that could be correct. I think it might be a difference of opinion though..
as I've mentioned on the list before, I am not about to attempt to catch
viruses and evil applets on their was in through the firewall. I think that is
a
losing battle. I would rather have good antivirus and a fixed Netscape
on the host on the inside.
I definately disagree on the administrative convenience point. I have/had
a socks proxy, and haveing a transparent SPF in MUCH easier for me.
Granted, it was Socks 4, but even so. I suspect that one will have a much
easier time
allowing a new type of service on a SPF than an AG. The SPF I have (FW1)
will automatically allow some new service out of the box, if the network
transaction is simple enough (i.e. a simple TCP transaction.) That may or may
not be a good thing. I prefer to let my users access as many toys as will
work through the firewall. I'll let you know if I change my mind when we use up
our bandwidth.
Are there proxies that are as transparent as something like FW1? If not,
how can you say that having to set proxy entries on all your inside hosts
on a per-app basis is administrativly easier?
Ryan
---------- Previous Message ----------
To: shaver
cc: avalon, chris, Firewalls
From: peter @ baileynm.com (Peter da Silva) @ smtp
Date: 07/01/96 08:37:28 AM
Subject: Re: Stateful Packet Screens
> As Darren pointed out, it's possible to do everything an AG does with
> an SPS, and vice versa.
However, in practical terms, you can't get a stateful packet filter that
will do all the stuff even the simplest application level gateways do as
a matter of course, and for a simple configuration it's much easier to
get the existing ALGs configured right than the existing SPFs.
In theory, you and Darren are correct. In practice, existing implementations
do fall into clumps with user convenience and performance being highest for
packet filters, and administrative convenience and security being highest
for proxies.
|
|
