Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Prove to me 'state-based' is safe

0 views
Skip to first unread message

Ryan Russell/SYBASE

unread,
Aug 13, 1997, 3:00:00 AM8/13/97
to

Well, it badly needs updating, but you can
see my complete rant here:

http://futon.sfsu.edu/~rrussell/spfvprox.htm

Anyway, with your rather limited analogy, I would change
state-based to read:

# State-based #
Airport security gate that checks passenger tickets for source, destination,
and gate. Inspects luggage if you look suspicious.

You seem to indicate that the first packet is the only
one checked for source/destination addresses and
ports etc.. which is not correct.

I can't speak to the intentions of the SPF designers as to why
they created them (whether it was primarily for performance
of not.)

As for the main difference between a traditional packet
filter and a SPF, consider the overused example of FTP.
The two main SPF implementations in the market that I'm
familiar with (FW1 and PIX) will watch for the port command
and open only the approprate port, and only until the fin/ack
is done. A regular packet filter generally has to leave all
ports greater than 1023 open all the time.

Ryan


----------------------------------------------
# Proxy filter #
Airport security gate that checks passenger tickets for source, destination,
and gate. Inspects luggage.

# State-based #
Airport security gate that checks ticket of first member of a family for
source, destination and gate, and allows the rest to pass through unchecked
to speed throughput. Ignores luggage, tickets of remaining family, and
crazed ex-wife rolling barrel of ammonium nitrate onto plane.

IMHO - The primary purpose of a state-based mechanism (by itself) is to
improve throughput, _might_ increase security for UDP applications (though
no gatekeeper in their right mind would allow UDP through a firewall).
State-based mechanisms should do absolutely nothing for TCP security that's
any better than packet filter security.

Bill Stout

Jyri Kaljundi

unread,
Aug 13, 1997, 3:00:00 AM8/13/97
to

> # State-based #
> Airport security gate that checks ticket of first member of a family for
> source, destination and gate, and allows the rest to pass through unchecked
> to speed throughput. Ignores luggage, tickets of remaining family, and
> crazed ex-wife rolling barrel of ammonium nitrate onto plane.

This is not the case. Stateful filters can and do inspect luggage, for
example you can look for specific HTML tags or mail content and based on
that either allow or deny the traffic.

Also application proxies do not have to inspect the luggage. Yes, they
can store the data but even with application proxies you can let traffic
through without completely examining the inside of the suitcase.

So I think it all depends on the actual implementation.

Jyri Kaljundi
j...@stallion.ee
AS Stallion Ltd


0 new messages