Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: RE: GXD vs. SPF

RE: GXD vs. SPF

Ryan Russell (ryanrsybase.com)
Tue, 29 Sep 1998 16:51:48 -0700

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Previous message: Jean-Christophe Touvet: "Re: Comparisons of Firewall-1 vs. PIX"
In reply to: Mark Horn [ Net Ops ]: "Re: Comparisons of Firewall-1 vs. PIX"

>Does the SPF function add (to session state monitoring) anything that
>natural TCP sessions states don't?

Not generic SPF, no. You get less actually. Very little of the SPF done
in Firewall-1 touches the data stream. The HTTP SPF of the PIX looks
like it might be heading in the right direction. FW-1 security servers
aren't SPF, near as I can tell. To be complete, SPF adds pretty much
automatic
transparancy, but that's not a security feature, strictly speaking. FW-1
adds
things like SYNDefender, but that's not strictly a generic SPF feature,
though it's pretty easy to add.

>I thought SPF did unless marketing
>technical material, and earlier posts about SPF discussed enhancements to
>the SPF function such as programatically added (data field pattern
matching)
>filters.

The could, but typically don't.

>The capability for enhancement could be argued as a natural
>feature of an architechture. That would explain the SPF/AG arguements.

I hope they head in that direction. AGs can add the same features
just as easily, maybe easier.

>If SPF is only equivalent to (not better than) TCP session state tracking,
>then SPF belongs in an AG firewall to add session state to UDP generic
>proxies.

There's very little to maintain state on in a UDP header. Many SPFs
modify the source port to act as an index. There are problems
with this. There is a specific bug with FW-1 handling UDP. AGs will
maintain better "state" if they understand the protocol. Generic
UDP SPFs don't do that good a job. A generic transport-level UDP relay
would look an awful lot like a UDP SPF.

>The SPF vs. AG firewall arguement is similar to NT vs. UNIX security; in
>UNIX you turn things on until you're comfortable, and in NT you turn
things
>off or patch until you're comfortable.

Firewall-1 designers appear to start with the most generic SPF handler
possible, and only add better handling when the protocol won't
work otherwise, or some exploit is published. That's the wrong place
for a firewall to be.

(To be fair...my SPF information comes mostly from working with FW-1,

and more limited work with the PIX. There are other SPF firewalls out
there

that I've never seen or touched, so they shouldn't be penalized by

my statements. I tend to speak like I'm talking about all of them

only because FW-1 is often considered to be "the" SPF firewall,

and it sucks enough for all of them combined.)

Ryan

Previous message: Jean-Christophe Touvet: "Re: Comparisons of Firewall-1 vs. PIX"
In reply to: Mark Horn [ Net Ops ]: "Re: Comparisons of Firewall-1 vs. PIX"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:48 CDT