Re: ALGs or SPFs? Wee, again! :) (Was: re: Proverbial appliance vs software based firewall)

[Mikael Olsson <mikael.olsson () clavister com>]

"Patrick M. Hausen" wrote:
> [...]
> That was the entire point. In all SPF implementations I've seen so
> far the packets don't pass the OS's TCP implementation.
> [...] 
> So why use SPF at all?

Ah, yes, this is the whole point of SPFs. If the OS starts rebuilding
packets from scratch, the performance penalty is high enough that,
for high performance scenarios, you arrive at "Sorry, too slow.
Gotta go for router ACLs instead. Shit."
                                  ^^^^ content filter bait

There's also the whole flexibility issue here. If your ALG isn't 
smart enough to forward stuff that you absolutely need to get
through, you're again stuck with router ACLs.


This is not to say that you shouldn't combine SPFs and ALGs.
On the contrary.  An SPF is a tool. An ALG is a tool. They work
fine in tandem, each complementing the other's traits.  

My preferred firewall (as used in the original sense of the word) 
setup is a combination of an SPF box and one or more ALG boxes, 
where I can mix and match as needed, per security zone.  

I personally don't like putting the ALG logic on the "main traffic 
control unit"; I'd rather have that off to one side and apply immutable 
controls and alarms in the SPF box.  This is, of course, assuming that 
the SPF box can't be circumvented, which has indeed been proven possible 
to do when said box is either too "smart" and/or too dumb.
... but that's implementation specifics :)


/Mike, opinionated mofo.
                   ^^^^ more filter bait
-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

"Senex semper diu dormit"
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards