Great Circle Associates Firewalls
(June 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Stateful Packet Filters vs. Proxies
From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Date: 9 Jun 97 10:24:09 EDT
To: "Craig I. Hagan" <hagan @ cih . com>
Cc: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>, Darren Reed <avalon @ coombs . anu . edu . au>, sjg <sjg @ quick . com . au>, firewalls <firewalls @ GreatCircle . COM> 
If you claim they are different because the are written
differently, sure, I'll buy that.

My claim was based on how they functioned, what happened
to packets on the way through, and what level of security
they provide.  I should have clarified.  My argument
was based on how they appear to behave from the
outside, black-boc style.

    Ryan

---------- Previous Message ----------
To: Ryan.Russell
cc: avalon, sjg, firewalls
From: hagan @
 cih .
 com ("Craig I. Hagan") @ smtp
Date: 06/09/97 12:56:03 PM
Subject: Re: Stateful Packet Filters vs. Proxies

> my personal experience has been good.
> 
> I disagree that a SPF != a proxy, at least not
> entirely.

you make an interesting argument. I will assert my belief that SPFs and
proxies represent something akin to convergent evolution -- are bats
special cases of birds, marsupial mice special cases of mice, etc?
Admittedly, unlike evolution, we have a situation where people can learn
from others' successes and failures. Things may look like ducks, quack
like ducks, but if their DNA/source says "not a duck" it ain't a duck.

Why do i believe that they are fundamentally different? SPFs are
implemented as an adjunct the the IP stack of the machine -- basically
it requires down and dirty OS level code in order to operate. Proxies
don't. Merely because the SPF looks and acts like a dumb proxy doesn't
make it a dumb proxy -- nor does it make dumb proxies special
cases of SPF's. 

Now, an important adjunct: i'm merely addressing your assertion that SPFs
and proxies belong to the same family of things, beit SPFs being special
cases of proxies, or vice versa. I believe that the arguments over which
is more secure are beyond the scope of this reply, and have more to with
availability and easy of modifying the source code to both (i'd rather an
SPF with rebuildable source than a proxy w/o it). Of course, there are
many other factors to add into this equation, but, i'm digressing and
risking flamage :) 

-- craig






-------------------------------------------------------------------------------
Craig I. Hagan     "It's a small world, but I wouldn't want to back it up"
hagan @
 cih .
 com         "True hackers don't die, their ttl expires"
   "It takes a village to raise an idiot, but an idiot can raze a village"
Indexed By Date Previous: Re: Stateful Packet Filters vs. Proxies
From: "Craig I. Hagan" <hagan @ cih . com>
Next: DHCP and firewall1
From: Donald Branch <donaldb @ ncmi-ny . com>
Indexed By Thread Previous: Re: Stateful Packet Filters vs. Proxies
From: Doug Hughes <Doug . Hughes @ Eng . Auburn . EDU>
Next: Re: Stateful Packet Filters vs. Proxies
From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Google
 
Search Internet Search www.greatcircle.com