Firewall Wizards mailing list archives
Re: ALGs or SPFs? Wee, again! :) (Was: re: Proverbial appliance vs software based firewall)
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Tue, 29 Oct 2002 15:55:16 +0100
"Patrick M. Hausen" wrote:
[...] That was the entire point. In all SPF implementations I've seen so far the packets don't pass the OS's TCP implementation. [...] So why use SPF at all?
Ah, yes, this is the whole point of SPFs. If the OS starts rebuilding packets from scratch, the performance penalty is high enough that, for high performance scenarios, you arrive at "Sorry, too slow. Gotta go for router ACLs instead. Shit." ^^^^ content filter bait There's also the whole flexibility issue here. If your ALG isn't smart enough to forward stuff that you absolutely need to get through, you're again stuck with router ACLs. This is not to say that you shouldn't combine SPFs and ALGs. On the contrary. An SPF is a tool. An ALG is a tool. They work fine in tandem, each complementing the other's traits. My preferred firewall (as used in the original sense of the word) setup is a combination of an SPF box and one or more ALG boxes, where I can mix and match as needed, per security zone. I personally don't like putting the ALG logic on the "main traffic control unit"; I'd rather have that off to one side and apply immutable controls and alarms in the SPF box. This is, of course, assuming that the SPF box can't be circumvented, which has indeed been proven possible to do when said box is either too "smart" and/or too dumb. ... but that's implementation specifics :) /Mike, opinionated mofo. ^^^^ more filter bait -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Proverbial appliance vs software based firewall, (continued)
- Re: Proverbial appliance vs software based firewall Bennett Todd (Oct 16)
- Message not available
- Re: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- Re: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 15)
- RE: Proverbial appliance vs software based firewall Marcus J. Ranum (Oct 26)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 27)
- RE: Proverbial appliance vs. software based firewall Bill Royds (Oct 27)
- Re: Proverbial appliance vs software based firewall Patrick M. Hausen (Oct 28)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 28)
- Re: Proverbial appliance vs software based firewall Patrick M. Hausen (Oct 29)
- Re: ALGs or SPFs? Wee, again! :) (Was: re: Proverbial appliance vs software based firewall) Mikael Olsson (Oct 29)
- Re: ALGs or SPFs? Wee, again! :) (Was: re: Proverbial appliance vs software based firewall) David Lang (Oct 30)
- RE: Proverbial appliance vs software based firewall Ofir Arkin (Oct 14)
- RE: Proverbial appliance vs software based firewall Jared Valentine (Oct 16)
- Re: Proverbial appliance vs software based firewall Gary Flynn (Oct 16)
- Re: Proverbial appliance vs software based firewall Mikael Olsson (Oct 16)