On 9 Jun 1997, Ryan Russell/SYBASE wrote:
> I'm not sure how one would measure reliability, but
> my personal experience has been good.
>
> I disagree that a SPF != a proxy, at least not
> entirely.
Well, the fact that the lower level protocols aren't protected behind the
perimiter is an issue. With an applicaiton layer proxy, only the firewall
needs to correctly handle sequence numbers, TCP window sizes, TCP headers,
etc. With SPF, the SPF box implementations I've seen don't keep state on
things like that for every connection, and if they do, normally out of
order packet reception is severly degraded.
At some point, you lose the advantages over application layer gateways if
you keep too much state information. Also, it's very difficult to code
application layer blocking without a great deal more work, for instance,
blocking <applet> as a tag is different than blocking <applet> as a
string.
I've still yet to see an example of something a SPF blocks that an
application layer gateway doesn't. The reverse certainly isn't true of
current implementations.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts @
clark .
net which may have no basis whatsoever in fact."
PSB#9280
References:
|
|
