com said (at http://futon.sfsu.edu/~rrussell/spfvprox.htm):
> So why do I claim the SPF can be more secure than proxies? Again, I
> emphasize can. Let me start with the converse: If you are only going
> to allow a single protocol through, even if you don't want to filter
> or validate the data in any meaningful way, get a good proxy. It
> should provide better security than a SPF.
> So here's my argument: Before, I gave an example of a bad proxy, it
> had a bug (unexpected behavior, bad design, to simplify, I'm going to
> call it a bug.) Ok, so SPFs can have bugs to, right? Sure. So, now
> you have to "proxy" two protocols. You still don't want to do any
> special filtering, just pass it through. So, let's assume that
> proxies have one bug each, as do SPFs. So, we have one SPF and two
> proxies. One bug with the SPF and two for the proxies. Do you see
> where I'm heading with this? If you want to pass n protocols, you
> have n bugs with proxies, 1 with the SPF. Or another way to think of
> it, the proxies will be (collectivly) 1/n as secure as the SPF.
I'm not by any means an expert on the subject (or on firewalls in general), but I must beg to differ with your reasoning...
A Stateful Packet Filter (SPF), in order to deal with a specific protocol (telnet, http, ftp, etc...), has to have a specific ruleset to deal with that protocol, correct? Therefore, shouldn't we assume a bug in each of the protocol rulesets rather than in in the SPF as a whole? Then we'd have two bugs in the SPFs vs. two proxies with one bug each.
Given this, and your previous arguments, they work out to be the same security-wise, although I also don't think that the overall security of the product is fairly evaluated by merely assuming 1 bug per section of code. If you're going to use this line of reasoning, you should at least factor in the relative probablity of a bug ocurring based on the complexity of the code (how does proxy code compare in complexity to SPF rules?) *AND* the probabilty that a random bug will compromise security (I'm inclined to believe that an SPF ruleset is much more likely to fail-open than an equivalent proxy).