At 06:28 15/12/00 -0500, Paul D. Robertson wrote:
>On Fri, 15 Dec 2000, Reckhard, Tobias wrote:
>
> > Bottom line: Stateful filters (and packet filters too) could perform
> > decisions just like ALGs, but they currently don't. And I see no trend in
> > the direction.
>
>Not quite true generically... A packet filter doesn't have information
>about what the client is willing to accept.
In my opinion, the difference between an ALG and a packet filter is
not in the specification of what is each, but in the implementation.
In theory, any thing that can be done at user-level can be done at
kernel-level and
vice-versa. It's just that kernel coding is not that simple, nor is it the
best approach. so from a modularity view point, ALGs are superior, whatever
Checkpoint and others will shout.
It is theoritically possible to queue/reassemble all the packets in the stack,
and do all the parsing an ALG can do, then forward or reject...
but I don't see any benefit in doing that instead of just redirecting
the packets to a proxy and letting the "normal" kernel do its job to
keep state.
> That means that out-of-order
>fragments or packets could cause a speciific action (or DoS) depending on how
>well the implementation does in handling of things, and that's especially
>true of non-TCP based protcols where there's not a sequence number.
>Network IDS' generally have the same sets of issues. ALGs are the
>client, so they have a specific stack behaviour that means they don't need
>that as a decision point.
While I agree, I interpret that as:
- in an ALG, decisions are taken by the developper,
- in a filter, they are taken by the filter
More clearly, ALGs are good, do whatever you want, provided they are available.
just passing things via a generic proxy is probably a good thing, but not
revolutinary
compared to a filter.
>There are some actions that an ALG typically can't perform and a packet
>filter can, but that's why almost everything is a hybrid of some sort.
>The key is figuring out how weighted the hybrid should be towards
>application layer stuff.
fully agree. I don't think we should prefer filters over proxies (or
vice-versa).
we should prefer good solutions over bad ones.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
