|
Firewall Wizards
mailing list archives
Re: Help with SPF
From: "Ge' Weijers" <ge () progressive-systems com>
Date: Thu, 6 May 1999 10:03:53 -0400
On Tue, May 04, 1999 at 11:54:33AM -0400, carson () tla org wrote:
"Fred" == Frederick M Avolio <fred () avolio com> writes:
Fred> Any IP service can be supported through a SPF.
With 2 caveats:
- You may have to support it in an insecure fashion, due to crypto obscuring
the protocol.
Or obscurantism like the payload being encoded using ASN.1 or Roman
Numerals, and it's the SPF's task to dig through all of it to find
additional ports to open. Imagine maintaining enough state to track
this stuff in a stateful packet filter..... You'd end up building an
LALR(k) parser or something similar to do your matching.
Of course, _someday_ one of my vendors will get tired of me nagging them for
geographically diverse state sharing, and finally will be willing to sell it
to me :)
It's probably simpler and cheaper in the long run to fix the unsafe
protocols we're currently using, than to add more and more complexity
to firewalls.
--
Carson Gaspar -- carson () cs columbia edu carson () tla org carson () cugc org
http://www.cs.columbia.edu/~carson/home.html
Queen Trapped in a Butch Body
--
-
Ge' Weijers Voice: (614)326 4600
Progressive Systems, Inc. FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220
 By Date 
By Thread
Current thread:
| 
Intro
