Ryan Russell writes:
>Well, I finally got around to writing down my arguments
>on the above subject. Check it out at:
>>I hope to convince the reader, to whatever degree I can, of the following:
>> 1.Proxies are a special case of a SPF.
>> 2.SPFs can be the more secure choice depending on the requirements.
>> 3.Network address translation (NAT) can be considered a form of
>> security on it's own.
One thing to note - SPF and crypto do not mix.
I saw a case last week where users behind a PIX firewall could not use
an encrypted FTP, because the PIX box could not inspect the content of
PORT commands and allow the data ports to be connected to.
Solutions are:
1. Use passive mode transfers.
2. Turn off the filtering in the PIX :-)
3. Do without crypto :-)
1 is obviously preferable if both sides can handle it - not always the
case. The other two are not attractive at all. If they'd been using
a proxy, they would not have had a problem.
--sjg
--
Simon J. Gerraty <sjg @
quick .
com .
au>
#include <disclaimer> /* imagine something _very_ witty here */
Follow-Ups:
References:
|
|
