Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: Stateful Packet Filter (SPF) vs Applic

Re: Stateful Packet Filter (SPF) vs Application Layer Gateway (ALG)

Ryan Russell (ryanrsybase.com)
Fri, 3 Jul 1998 18:26:06 -0700

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: ICMan: "RE: Short note on new Laws"
Previous message: Rodney van den Oever: "Re: AS5300 & CiscoSecure Capabilities"

I assume this is at least partially addressed at me, so
I'll take it personally :)

>SPF is a cool, fast, efficient way to help protect a network. SPF as an
>architecture allows you to do a lot of great things. You can monitor
>connection state, you can inspect every piece and flag in every layer of a
>packet, you can even buffer data in chunks large enough to filter based on
>application information, such as certain commands, virus checking, even
>ActiveX and Java filtering. It can cut through a tin can, and then
>perfectly slice tomatoes. And when you have completed all the hairy
>development, spliced into the stacks of stock operating systems by
>replacing their libraries, and included a scripting language to allow
users
>to program their own protocol checks, you have an amazing device. You
have
>an ALG running on a semi-hardened IP stack.

No, you don't. For what you've described, the host running that software
wouldn't be able to use it to, say, open a telnet connection or send
a syslog packet, so it's not an IP stack.

>You do not even have an ALG running on a properly hardened OS.

You might not even have an OS.

>And worse, you have tried to re-invent the wheel, duplicating most of what
>a properly debugged IP stack was created to do in the first place. Manage
>connections using state information.

Why with state information? If you like writing IP stacks better, then
write it
like an IP stack. FOlks, the "Stateful" in SPF refers to the fact that it
keeps information ABOUT packets, not neccessarily HOW it keeps it.

>Digging into that kind of development
>opens the door to remaking all the mistakes made during development and
>testing of IP Stacks, which has lasted how long? 20 years or more?

Reuse one.
Ryan

Next message: ICMan: "RE: Short note on new Laws"
Previous message: Rodney van den Oever: "Re: AS5300 & CiscoSecure Capabilities"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:32 CDT