Firewalls: relative security of Proxies vs. SPFs

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	relative security of Proxies vs. SPFs
From:	John Stewart <johns @ heurikon . com>
Date:	Fri, 06 Jun 1997 13:30:43 CDT
To:	ryan . russell @ sybase . com
Cc:	firewalls @ greatcircle . com

ryan .
 russell @
 sybase .
 com said (at http://futon.sfsu.edu/~rrussell/spfvprox.htm):
> So why do I claim the SPF can be more secure than proxies? Again, I 
> emphasize can. Let me start with the converse: If you are only going 
> to allow a single protocol through, even if you don't want to filter 
> or validate the data in any meaningful way, get a good proxy. It 
> should provide better security than a SPF.

> So here's my argument: Before, I gave an example of a bad proxy, it 
> had a bug (unexpected behavior, bad design, to simplify, I'm going to 
> call it a bug.) Ok, so SPFs can have bugs to, right? Sure. So, now 
> you have to "proxy" two protocols. You still don't want to do any 
> special filtering, just pass it through. So, let's assume that 
> proxies have one bug each, as do SPFs. So, we have one SPF and two 
> proxies. One bug with the SPF and two for the proxies. Do you see 
> where I'm heading with this? If you want to pass n protocols, you 
> have n bugs with proxies, 1 with the SPF. Or another way to think of 
> it, the proxies will be (collectivly) 1/n as secure as the SPF.  

I'm not by any means an expert on the subject (or on firewalls in general), but I must beg to differ with your reasoning...

A Stateful Packet Filter (SPF), in order to deal with a specific protocol (telnet, http, ftp, etc...), has to have a specific ruleset to deal with that protocol, correct? Therefore, shouldn't we assume a bug in each of the protocol rulesets rather than in in the SPF as a whole? Then we'd have two bugs in the SPFs vs. two proxies with one bug each.

Given this, and your previous arguments, they work out to be the same security-wise, although I also don't think that the overall security of the product is fairly evaluated by merely assuming 1 bug per section of code. If you're going to use this line of reasoning, you should at least factor in the relative probablity of a bug ocurring based on the complexity of the code (how does proxy code compare in complexity to SPF rules?) *AND* the probabilty that a random bug will compromise security (I'm inclined to believe that an SPF ruleset is much more likely to fail-open than an equivalent proxy).

johnS

Indexed By Date	Previous:	Re: Microsoft NetMeeting From: beldridg @ cup46ux . cup . hp . com (Brett Eldridge)
Indexed By Date	Next:	Re: Unknown log entry... From: Neil Readwin <nreadwin @ csksoftware . com>
Indexed By Thread	Previous:	Re: TELNET AND FTP JAIL From: C Matthew Curtin <cmcurtin @ research . megasoft . com>
Indexed By Thread	Next:	Commonly hacked ports From: Alan <alano @ teleport . com>