> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 13 April 2000 5:16 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: Packet Filtering vs. Proxy
>
>
> "Luff, Darryl" <[EMAIL PROTECTED]> wrote:
> >
> > A packet filter only works on port numbers. [snip]
Not quite..
> >So if the packets have been intentionally fiddled with in
> > some way
> > the 'fiddled' packet will get to the server.
Absolutely right.
[now, from "bmurrel"]
> Wrong. Please read Aza's question more carefully. He asked about
> "stateful" packet filters. They are much more powerful than regular
> filters in they *do* look at packet contents as well as packet flags,
> etc. I have left the relevant portion of Aza's message intact below
> from your quotation of his message.
Please, _do_ try to moderate your tone and be a bit polite. Most of us here
are grown up now - we'll be able to tell if you're smart without you
verbally slapping people about.
Strictly speaking, a stateful packet filter only keeps state (duh). This
means that an SPF is supposed to know everything about the TCP/IP rules for
the flow of data between the internal and external hosts. However, SPFs
aren't really supposed to look at application level data - and indeed they
usually don't. There are some hybrids that look at the application data of
the first few packets of a flow but (IMO) these should be called something
different to avoid confusion.
So, essentially, by using a SPF you trade-off some security for a reasonable
speed / RAM saving.
Of course in theory, an ALG will subject a packet to much closer application
level scrutiny than any SPF ever could due to the speed/RAM problem. In
practice, however, it's damn near impossible to write an effective ALG for
lots of the protocols streaming in and out of networks now (notably HTTP).
However the key point that Darryl made is that an ALG (Application Level
Gateway - Proxy if you like) terminates the IP connection and forms a new
one to the internal hosts. This _ensures_ that no "fiddled" packets get
through. If FW-1 is anything to judge the current state-of-the art for SPFs
by, you don't have anywhere near that kind of assurance with current SPF
implementations.
>
> > > -----Original Message-----
> > > From: Aza Goudriaan [SMTP:[EMAIL PROTECTED]]
> > > Sent: Thursday, April 13, 2000 5:01 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Packet Filtering vs. Proxy
> > >
>
> [ snip ]
>
> > > 1. When reading abount packet filtering and proxies,
> everybody says
> > that a
> > > proxy gives more security than (stateful) packet
> filtering. Can you
> > > explain
> > > why?
>
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
