Great Circle Associates Firewalls
(April 1998)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: socks versus fw-1 stateful inspection vulnerabilities
From: "Ryan Russell" <ryanr @ sybase . com>
Date: Mon, 6 Apr 1998 14:10:18 -0700
To: Christopher Zarcone <czarcone @ vf . lmco . com>
Cc: firewalls @ greatcircle . com

There are a number of reasons.. flexibility, speed (I believe
that SPFs would be slightly faster than AGs when doing as much work,
I might be wrong,) and the fact the SPFs can do more.  I'll update
my rant soon, and qualify that last point.

But, now you've agreed with the short point I was trying to
make (that SPFs can do the same thing as AGs if programmed
to do so) and I've started into the "Why I think SPFs are cool"
discussion, so I'll drop it.

                         Ryan





Christopher Zarcone <czarcone @
 vf .
 lmco .
 com> on 04/06/98 05:09:24 AM

Please respond to Christopher Zarcone <czarcone @
 vf .
 lmco .
 com>

To:   Ryan Russell/SYBASE
cc:   firewalls @
 greatcircle .
 com
Subject:  Re: socks versus fw-1 stateful inspection vulnerabilities




Ryan,

I suppose I should clarify what I said:

Historically I have come to understand "packet filtering" as screening
based on
IP-level and transport level information. With such limited information,
you
can't determine with certainty the application-level service; you can only
make
a best guess.

Of course, if you have a more advanced packet filter, you could arbitrarily
examine any or all bits in the entire packet. At that point, though, you're
basically performing application-level analysis, and incurring the
performance
penalty, so why not use a proxy?

Regards,

Chris

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~
Christopher Zarcone - Data Communications Design Analyst
Lockheed Martin Enterprise Information Systems
czarcone @
 vf .
 lmco .
 com  *  Chris .
 Zarcone @
 lmco .
 com  *  czarcone @
 acm .
 org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~
       My opinions do not necessarily reflect those of my employer.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~


> >Jon,
> >
> >Stateful inspection engines suffer the same disadvantages as packet
> filters,
> >because THEY ARE packet filters.
>
> But they are not JUST packet filters.
>
> >I would say that (my) single biggest problem with packet filtering is
> >application-level security (e.g. how can a packet filter differentiate a
> >sendmail server from a rogue webserver running on port 25? It can't. A
> proxy
> >can.)
>
> They can, in the same manner that a proxy can.
>


Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998)) with SMTP id 882565DE.0042E411;
Mon, 6 Apr 1998 05:10:37 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
          by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
       id FAA26138 for <Ryan_Russell @
 tunnel-w>; Mon, 6 Apr 1998 05:09:41
-0700 (PDT)
Received: from inergen.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
     id AA02951; Mon, 6 Apr 98 05:09:40 PDT
Received: from mailgw3.lmco.com (mailgw3.lmco.com [192.35.35.23])
          by inergen.sybase.com (8.8.4/8.8.4) with ESMTP
       id FAA22416 for <ryanr @
 sybase .
 com>; Mon, 6 Apr 1998 05:11:23 -0700
(PDT)
Received: from emss04g01.ems.lmco.com ([166.17.13.122])
     by mailgw3.lmco.com (8.8.8/8.8.8) with ESMTP id IAA08415;
     Mon, 6 Apr 1998 08:09:31 -0400 (EDT)
Received: from knight.vf.lmco.com ([166.17.3.50])
 by lmco.com (PMDF V5.1-10 #20546) with ESMTP id <0EQZ00AWJR3VIF @
 lmco .
 com>;

 Mon,  6 Apr 1998 08:09:31 -0400 (EDT)
Received: from data.camelot (data.vf.lmco.com [166.17.3.39])
 by knight.vf.lmco.com (8.8.8/8.7.3) with SMTP id IAA18880; Mon,
 06 Apr 1998 08:03:29 -0400 (EDT)
Received: from data by data.camelot (SMI-8.6/SMI-SVR4) id IAA01498; Mon,
 06 Apr 1998 08:09:24 -0400
Date: Mon, 06 Apr 1998 08:09:24 -0400 (EDT)
From: Christopher Zarcone <czarcone @
 vf .
 lmco .
 com>
Subject: Re: socks versus fw-1 stateful inspection vulnerabilities
To: ryanr @
 sybase .
 com
Cc: firewalls @
 greatcircle .
 com
Reply-To: Christopher Zarcone <czarcone @
 vf .
 lmco .
 com>
Message-Id: <199804061209 .
 IAA01498 @
 data .
 camelot>
Mime-Version: 1.0
X-Mailer: dtmail 1.2.0 CDE Version 1.2 SunOS 5.6 sun4m sparc
Content-Type: TEXT/plain; charset=us-ascii
Content-Md5: CkjcorbwPvMrA8MSvP8C1g==








Indexed By Date Previous: fw-1 stateful inspection vulnerabilities
From: Pete Philips <alien @ netcomuk . co . uk>
Next: Novell Question
From: rkizer @ sddpc . org (Kizer, Randall)
Indexed By Thread Previous: RE: socks versus fw-1 stateful inspection vulnerabilities
From: "Ryan Russell" <ryanr @ sybase . com>
Next: RE: socks versus fw-1 stateful inspection vulnerabilities
From: Frank Willoughby <frankw @ in . net>

Google
 
Search Internet Search www.greatcircle.com