1998-06-30-10:12:01 Ryan Russell:
> >--- but they have increased vulnerability to problems in other IP stacks,
> >because they are allowing remote hosts to communicate directly with those
> >stacks.
>
> I disagree with this assumption. Current SPF implementations do this. It
> doesn't mean someone couldn't write a better one.
In other words, you're banking your arguments about the superiority of
stateful packet filtering on the fantasy that someone will write an SPF that
does fragment reassembly, options stripping, and all the other implicit
cleanup that's done by the IP stacks for application gateways.
Go for it. Maybe you're right; people have wasted the time and effort to write
some amazingly awful dreck, and people contine to waste even more time and
effort attempting to run it; there are a lot of sick pups out there.
But I'll betcha that even if someone _does_ what you propose --- write an
entire IP stack, with application proxies and everything, as state transition
rules for an SPF --- that the result will not be more secure than current
application gateway firewalls. Rather, you'll have a vastly more complex
implementation, which means more bug-ridden, and far harder to maintain and
enhance in the face of changing demands. That definitely sounds like a
market-leading product in today's market, I'll agree. I still won't use it.
And I won't expect it to be more secure.
-Bennett
Received on Jul 08 1998
Intro
