|
Firewall Wizards
mailing list archives
Re: Help with SPF
From: Bill_Royds () pch gc ca
Date: Thu, 6 May 1999 14:30:43 -0400
"Ge' Weijers" <ge () progressive-systems com> on 99-05-06 10:03:53 AM
Please respond to "Ge' Weijers" <ge () progressive-systems com>
To: carson () tla org, Frederick M Avolio <fred () avolio com>
cc: Marcelo Barbosa Lima <marcelo.lima () dcc unicamp br>,
firewall-wizards () nfr net (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject: Re: Help with SPF
On Tue, May 04, 1999 at 11:54:33AM -0400, carson () tla org wrote:
"Fred" == Frederick M Avolio <fred () avolio com> writes:
Fred> Any IP service can be supported through a SPF.
With 2 caveats:
- You may have to support it in an insecure fashion, due to crypto obscuring
the protocol.
Or obscurantism like the payload being encoded using ASN.1 or Roman
Numerals, and it's the SPF's task to dig through all of it to find
additional ports to open. Imagine maintaining enough state to track
this stuff in a stateful packet filter..... You'd end up building an
LALR(k) parser or something similar to do your matching.
What might be very useful is an ASN.1 compiler to help generate application
proxies for a proxy firewall.
If the protocol is properly described in ASN.1 syntax, this compiler would then
allow only transmissions that were valid syntactically.
This is less secure that a purpose build protocol that also invlolves semantics,
but certainly much better than simply general proxies now forced on unpopular
protocols.
 By Date 
By Thread
Current thread:
- Help with SPF Marcelo Barbosa Lima (May 03)
- <Possible follow-ups>
- Re: Help with SPF Bill_Royds (May 07)
| 
Intro
