On Fri, 15 Dec 2000, Reckhard, Tobias wrote:
> Bottom line: Stateful filters (and packet filters too) could perform
> decisions just like ALGs, but they currently don't. And I see no trend in
> the direction.
Not quite true generically... A packet filter doesn't have information
about what the client is willing to accept. That means that out-of-order
fragments or packets could cause a speciific action (or DoS) depending on how
well the implementation does in handling of things, and that's especially
true of non-TCP based protcols where there's not a sequence number.
Network IDS' generally have the same sets of issues. ALGs are the
client, so they have a specific stack behaviour that means they don't need
that as a decision point.
There are some actions that an ALG typically can't perform and a packet
filter can, but that's why almost everything is a hybrid of some sort.
The key is figuring out how weighted the hybrid should be towards
application layer stuff.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
