Re: GXD vs. SPF

Paul D. Robertson (probertsclark.net)
Sat, 26 Sep 1998 15:50:59 -0400 (EDT)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: arkeltex.ru: "[ISN] Security vendors discuss new protocol (fwd)"
• Previous message: Paul D. Robertson: "Re: Apology - not necessary"
• In reply to: Paul D. Robertson: "Re: Apology - not necessary"
• Next in thread: arkeltex.ru: "Re: GXD vs. SPF"
• Reply: arkeltex.ru: "Re: GXD vs. SPF"

On Thu, 24 Sep 1998, Stout, Bill wrote:

> Having done my fair share of hand waving and whiteboarding about AG vs. SPF,
> I'm curious about something else.
>
> Generic Proxy security vs. SPF session security.

By "Generic Proxy", I assume you mean transport layer relay like plug-gw,
Socks, etc.?

> Given a specific traffic session, ignoring the whole packet-level attack
> catagory:

I'm not sure that ignoring the whole packet-level attack category is prudent,
since packet filters have this as their downside in general, but also
have the chance to do more detection there than is typically provided by
a hardened bastion (though there were some interesting Linux kernel mods
posted to Bugtraq that detected scans and presumably spoof attempts as
well).

If you ignore a class of attack then your model is going to be flawed in
regards to attacks in general.
 
> If the GXD simply reassembles segments to TCP windows and passes them on to
> the target, only using sequence numbers to keep track of the TCP session,
> would a SPF provide better validation of a session than a generic proxy?

I don't see how it could be "better" unless it was for UDP or the SPF
(outside of the realm of the actual filtering) provided some sort of
additional detection mechanism. The TCP state (no ACK) given by a
plug-gw type program is as fool-proof as the state mechanism in say
IPFilter or FW-1 in terms of "this packet goes to a valid conversation
that we started". Perhaps moreso, since you get a reliability for
fragment reassembly and behaviour than you would passing to multiple
internal hosts of different types through a packet filter. I've not
looked at SOCKS since V3, so I wouldn't know where to place that in an
assessment.

> The security stack would be:
>
> AG
> SPF
> GXD
> Packet Filter

I'd think that SPF and GXD would be at the same level, and have a
different order in the heirarchy depending on what exactly one was
attempting to protect, and the risks you had to assume with a particular
architecture and potentail attack base. I can see times when one or the
other would have particular advantages over the one placed below it.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
probertsclark.net which may have no basis whatsoever in fact."
                                                                     PSB#9280

• Next message: arkeltex.ru: "[ISN] Security vendors discuss new protocol (fwd)"
• Previous message: Paul D. Robertson: "Re: Apology - not necessary"
• In reply to: Paul D. Robertson: "Re: Apology - not necessary"
• Next in thread: arkeltex.ru: "Re: GXD vs. SPF"
• Reply: arkeltex.ru: "Re: GXD vs. SPF"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT