Firewalls: Re: sex, lies, and firewall code

Firewalls
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: sex, lies, and firewall code
From:	Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Date:	20 Oct 97 17:47:43 EDT
To:	Bill Stout <stoutb @ pios . com>
Cc:	firewalls <firewalls @ GreatCircle . COM>

>Lies:
>It is a misrepresentation to say that state-based filtering mechanisms
>provide security anywhere near the superior security offered by proxy-based
>firewalls.  My biggest beef with 'state-based firewalls' is that a
>state-based filter cannot rewrite packets, it passes packets through,
>leaving the internal network exposed to various packet attacks.  A
>state-based filter also does not have the application code to intelligently
>filter application commands.  

Now there's an appropriatly named paragraph :)

Now, do you mean "can't" or "don't" ?  Naturally, a SPF *can* do anything
that a proxy could.  It has the whole packet, it can do whatever it wants
to with it.  It can re-write the whole packet, and can have any application
code desired to filter anything.

If you meant to state that the current SPF implementations don't filter
much, that is a bit more correct.

    Ryan

Indexed By Date	Previous:	Re: sex, lies, and firewall code From: Bernd Eckenfels <lists @ lina . inka . de>
Indexed By Date	Next:	Re: sex, lies, and firewall code From: Chris Brenton <cbrenton @ sover . net>
Indexed By Thread	Previous:	Re: sex, lies, and firewall code From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Indexed By Thread	Next:	Re: sex, lies, and firewall code From: Rick Murphy <rick @ paimail . com>