Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Stateful Packet Filter (SPF) vs Applicatio

Stateful Packet Filter (SPF) vs Application Layer Gateway (ALG)

ICMan (shanetor.securecomputing.com)
Fri, 3 Jul 1998 11:46:26 -0400

Once again, the vicious fight between SPF and ALG proponents gets center
stage. I, ICMan, valiant knight of the ALG Legion, stride forth in my
majesty to battle the evil hordes of SPF supporters. ;-)

SPF is a cool, fast, efficient way to help protect a network. SPF as an
architecture allows you to do a lot of great things. You can monitor
connection state, you can inspect every piece and flag in every layer of a
packet, you can even buffer data in chunks large enough to filter based on
application information, such as certain commands, virus checking, even
ActiveX and Java filtering. It can cut through a tin can, and then
perfectly slice tomatoes. And when you have completed all the hairy
development, spliced into the stacks of stock operating systems by
replacing their libraries, and included a scripting language to allow users
to program their own protocol checks, you have an amazing device. You have
an ALG running on a semi-hardened IP stack.

You do not even have an ALG running on a properly hardened OS.

And worse, you have tried to re-invent the wheel, duplicating most of what
a properly debugged IP stack was created to do in the first place. Manage
connections using state information. Digging into that kind of development
opens the door to remaking all the mistakes made during development and
testing of IP Stacks, which has lasted how long? 20 years or more?
 Microsoft is making all the same mistakes in their IP implementation that
BSD did 15 years ago, because they are not looking at all the work that has
been done in that time; the bug fixes, the design changes, etc. We all
condemn M$ for this oversight, and brazenly declare that "NT is crap in the
security arena. We would never encourage a customer to use NT as the basis
for a perimiter security device!" So, why do we trust developers that
don't trust the IP stacks that they use, and try to rewrite them from

That said, I come to the defense of SPFs in aid against my own vicious
attack. The reason for SPFs is so you DON'T HAVE to dig into the OS and
mess with the stack, adding filters, checks, etc. The IP stack of an OS is
a very complicated animal, and the faint of heart should not even go near
one. Taking an SPF and tightening it down to the same security level of an
ALG kills it's performance advantage. SPF is not designed to be the
perfect answer to security needs on a firewall. ALGs are not designed to
be the perfect security solution for a firewall. ALGs are more secure,
SPFs are faster and more flexible. That is difference, and that should be
foremost in your mind when determining the needs for your customers.

'nuff said! ;-)


PS. It is my opinion that ALGs by themselves are more secure than SPFs,
but that to really get a definate security boost, the OS needs to be
hardened. I don't mean hardened like one popular company with an SPF
Firewall means hardened. All they do to "harden" the OS is to turn off a
bunch of services. I mean HARDEN. Get into the source for the kernel and
either start debugging, or add additional protection measures. Cell like
division of processes, categorized into domains which have strictly
enforced, limited access to other files and processes outside of their
domain, etc. DOD uses firewalls that have such Mandatory Access Control
built into them. If you are going to dig into the kernel of an OS, it
makes sense to harden the stack rather than make a new one from scratch, so
an ALG would be your logical choice of architecture.

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:31 CDT