Why "low security" end of the spectrum? Because SPF
tends to support more app types? I don't believe in
restricting the kind of data that users can access a
reasonable form of security. Besides, they will always
find a way around it. Do you think that proxies that support
essentially Telnet, FTP, and HTTP are more secure
than other solutions that support more? In theory, yes,
less data attacks to worry about.. in practice, all the
interesting data attacks are coming through HTTP
anyway. And, it's quite easy for me to deny a particular
service should I choose to. Just as easy as it would be
on a proxy, I would expect.
What kind of proxy do you use? Why couldn't a proxy
be transparent?
Is anyone out there doing anything
with, say a web proxy, besides just passing the HTML
document through? Is anyone getting any value
while taking the speed hit and having to configure
your clients special?
Ryan
---------- Previous Message ----------
To: Ryan.Russell
cc: firewalls
From: peter @ baileynm.com (Peter da Silva) @ smtp
Date: 07/01/96 03:53:06 PM
Subject: Re: Stateful Packet Screens
> I definately disagree on the administrative convenience point. I have/had
> a socks proxy, and haveing a transparent SPF in MUCH easier for me.
That depends on what your security policy is. If it's "allow anything if
it's initiated on the inside" then a packet filter is definitely easier
than SOCKS. But then you're tending towards the "low security" end of
the spectrum to begin with.
> Are there proxies that are as transparent as something like FW1?
If there are, they're not doing anything more than a packet filter.
|
|
