Have been following this discussion with a lot of interest as a reseller
of both SPF and proxy firewalls. I happen to believe that both are
appropriate in different circumstances and customer need. Nevertheless, I
am a little troubled by the claims that SPFs are inherently
insecure. Let me present a challenge. Lets compare some specific
commercial offerings -- Firewall-1 in one corner representing SPF and say
Gauntlet, Raptor, or ANS in the other representing the proxy approach.
What I would like is some specific vulnerability that I cannot protect
myself from using the SPF as opposed to the proxy approach. Again just
for emphasis, I am interested in specific vulnerabilities not just
restatement that in theory proxies are better because they deal with the
protocol at the application layer. My somewhat cynical hypothesis, until
proven wrong with specific example, is that the majority of proxies are
really not better and in fact may be no more than an disguised SPF with
address translation.
Mike Ordun
mordun @
lancomp .
com
Follow-Ups:
References:
|
|
