Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: Proxy 2.0 secure? (AG vs. SPF)

Re: Proxy 2.0 secure? (AG vs. SPF)

Ryan Russell (ryanrsybase.com)
Tue, 7 Jul 1998 09:55:03 -0700

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Ryan Russell: "Re: Proxy 2.0 secure? (AG vs. SPF)"
Previous message: Marc Heuse: "Re: Proxy 2.0 secure? (AG vs. SPF)"
In reply to: Ryan Russell: "Re: Proxy 2.0 secure? (AG vs. SPF)"
Next in thread: Bennett Todd: "Re: Proxy 2.0 secure? (AG vs. SPF)"
Reply: Bennett Todd: "Re: Proxy 2.0 secure? (AG vs. SPF)"
Reply: tqbfpobox.com: "Re: Proxy 2.0 secure? (AG vs. SPF)"

I'm repeating myself a bit here because of some
lag in messages getting to list members, but...

I claim that any IP handling software that isn't part
of the OS, and hence isn't usable by the OS is
a type of SPF.

So, for example, if one believes that the exercise
of take a good IP stack and making it a standalone
application can be accomplished without introducing
significant bugs, then you have an excellent starting point.

I don't believe that SPFs have to be written as state machines.
The "state" in SPF comes from the fact that the big brothers
of traditional PFs keep "state" about previous packets..
not that they neccessarily use a state mechanism to do so.

Wouldn't having the IP stack not effectivly running as root
be an improvement? Couldn't there be some useful security
information gleaned by not throwing away bits of information
that are tossed currently by the barrier between IP stack
and app logic that is the sockets API?

Ryan

Bennett Todd <betmordor.net> on 07/07/98 08:56:32 AM

To: Ryan Russell/SYBASE, tqbfpobox.com
cc: firewall-wizardsnfr.net
Subject: Re: Proxy 2.0 secure? (AG vs. SPF)

1998-06-30-10:12:01 Ryan Russell:
> >--- but they have increased vulnerability to problems in other IP
stacks,
> >because they are allowing remote hosts to communicate directly with
those
> >stacks.
>
> I disagree with this assumption. Current SPF implementations do this.
It
> doesn't mean someone couldn't write a better one.

In other words, you're banking your arguments about the superiority of
stateful packet filtering on the fantasy that someone will write an SPF
that
does fragment reassembly, options stripping, and all the other implicit
cleanup that's done by the IP stacks for application gateways.

Go for it. Maybe you're right; people have wasted the time and effort to
write
some amazingly awful dreck, and people contine to waste even more time and
effort attempting to run it; there are a lot of sick pups out there.

But I'll betcha that even if someone _does_ what you propose --- write an
entire IP stack, with application proxies and everything, as state
transition
rules for an SPF --- that the result will not be more secure than current
application gateway firewalls. Rather, you'll have a vastly more complex
implementation, which means more bug-ridden, and far harder to maintain and
enhance in the face of changing demands. That definitely sounds like a
market-leading product in today's market, I'll agree. I still won't use it.
And I won't expect it to be more secure.

-Bennett

Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) with SMTP id 8825663A.0056694C;
Tue, 7 Jul 1998 08:43:50 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
          by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
       id IAA18425 for <id IAA18425 for <Ryan_Russelltunnel-w>; Tue, 7 Jul 1998 08:41:04
-0700 (PDT)
Received: from halon.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
     id AA06147; Tue, 7 Jul 98 08:41:03 PDT
Received: from ritz.mordor.net (vmailermordor.net [165.254.98.3])
          by halon.sybase.com (8.8.4/8.8.4) with ESMTP
       id IAA00970 for <ryanrsybase.com>; Tue, 7 Jul 1998 08:40:43 -0700
(PDT)
Received: by ritz.mordor.net (VMailer, from userid 1002)
     id 15A882A7D4; Tue, 7 Jul 1998 11:56:33 -0400 (EDT)
Message-Id: <19980707115632.A3063fcmc.com>
Date: Tue, 7 Jul 1998 11:56:32 -0400
From: Bennett Todd <betmordor.net>
To: Ryan Russell <ryanrsybase.com>, tqbfpobox.com
Cc: firewall-wizardsnfr.net
Subject: Re: Proxy 2.0 secure? (AG vs. SPF)
References: <88256633.005A1EFC.00gwwest.sybase.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.91.1
In-Reply-To: <88256633.005A1EFC.00gwwest.sybase.com>; from Ryan Russell on
Tue, Jun 30, 1998 at 10:12:01AM -0700

Next message: Ryan Russell: "Re: Proxy 2.0 secure? (AG vs. SPF)"
Previous message: Marc Heuse: "Re: Proxy 2.0 secure? (AG vs. SPF)"
In reply to: Ryan Russell: "Re: Proxy 2.0 secure? (AG vs. SPF)"
Next in thread: Bennett Todd: "Re: Proxy 2.0 secure? (AG vs. SPF)"
Reply: Bennett Todd: "Re: Proxy 2.0 secure? (AG vs. SPF)"
Reply: tqbfpobox.com: "Re: Proxy 2.0 secure? (AG vs. SPF)"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:32 CDT