Firewall Wizards mailing list archives
Re: Help with SPF
From: "Ge' Weijers" <ge () progressive-systems com>
Date: Thu, 6 May 1999 10:03:53 -0400
On Tue, May 04, 1999 at 11:54:33AM -0400, carson () tla org wrote:
"Fred" == Frederick M Avolio <fred () avolio com> writes:Fred> Any IP service can be supported through a SPF. With 2 caveats: - You may have to support it in an insecure fashion, due to crypto obscuring the protocol.
Or obscurantism like the payload being encoded using ASN.1 or Roman Numerals, and it's the SPF's task to dig through all of it to find additional ports to open. Imagine maintaining enough state to track this stuff in a stateful packet filter..... You'd end up building an LALR(k) parser or something similar to do your matching.
Of course, _someday_ one of my vendors will get tired of me nagging them for geographically diverse state sharing, and finally will be willing to sell it to me :)
It's probably simpler and cheaper in the long run to fix the unsafe protocols we're currently using, than to add more and more complexity to firewalls.
-- Carson Gaspar -- carson () cs columbia edu carson () tla org carson () cugc org http://www.cs.columbia.edu/~carson/home.html Queen Trapped in a Butch Body
-- - Ge' Weijers Voice: (614)326 4600 Progressive Systems, Inc. FAX: (614)326 4601 2000 West Henderson Rd. Suite 400, Columbus OH 43220
Current thread:
- Help with SPF Marcelo Barbosa Lima (May 03)
- Re: Help with SPF Frederick M Avolio (May 04)
- Re: Help with SPF carson (May 05)
- Re: Help with SPF Ge' Weijers (May 06)
- Message not available
- Re: Help with SPF Artur Niederstebruch (May 05)
- Re: Help with SPF carson (May 05)
- Re: Help with SPF Frederick M Avolio (May 04)
- <Possible follow-ups>
- Re: Help with SPF Bill_Royds (May 07)