Firewalls: Re: proxy vs. smli white paper

Firewalls
(April 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: proxy vs. smli white paper
From:	Darren Reed <avalon @ coombs . anu . edu . au>
Date:	Sun, 27 Apr 1997 18:12:51 +1000 (EST)
To:	lists @ lina . inka . de (Bernd Eckenfels)
Cc:	avolio @ tis . com, lists @ lina . inka . de, larry @ nwnet . net, Firewalls @ GreatCircle . COM
In-reply-to:	<m0wLDEa-00016mC @ lina . inka . de> from "Bernd Eckenfels" at Apr 26, 97 09:33:51 pm

In some mail from Bernd Eckenfels, sie said:
[...]
> SMLI Firewall technique is based on a few things:
> a) parse Packets
> b) keep state between packets
> c) do actions based on the parsed data and state
> d) send original (or modified) packets.

e) the assumption that no packet processed is a fragment

f) whenever you're looking for data in a TCP connection, it will
   always be in "one packet" (re. FW-1/Gauntlet incompatibility).

SMLI breaks down and the complexity increases siginificantly when
you need to deal with (e) and (f).  Granted, packets which break
the last two assumptions (e) and (f), do make up a small minority
of the cases in real life.

Darren

References:

Re: proxy vs. smli white paper
From: Bernd Eckenfels <lists @ lina . inka . de>

Indexed By Date	Previous:	Re: Firewalls-Digest V6 #176 From: <blast @ worldbit . com>
Indexed By Date	Next:	Off Topics-Unix Mail Lists From: John Pilley <jpilley @ lioninc . com>
Indexed By Thread	Previous:	Re: proxy vs. smli white paper From: Bernd Eckenfels <lists @ lina . inka . de>
Indexed By Thread	Next:	Re: proxy vs. smli white paper From: Bernd Eckenfels <lists @ lina . inka . de>