Re: Application Intelligent vs ALG

[Adam Shostack <adam () homeport org>]

I think we can see if it's better or not by applying intelligence.

If by better, we mean "resists more attacks," then a real
proxy which terminates the connection and re-builds it will catch all
the attacks which the inspect code can, plus some set of attacks where
the proxy author doesn't copy things the same way the app does;
perhaps reducing integer wrap-around problems.

If by better, we mean "faster," then an inspection engine which
copies, inspects and sends the original is going to be faster than a
proxy which copies, inspects, corrects, and sends, assuming that the
inspections are equal.

Only if by better, we mean "no one ever got fired for buying this,"
then the jury is still out.

All three are valid meanings of better.

Adam


On Tue, Jun 24, 2003 at 09:10:02AM +0200, Shimon Silberschlag wrote:
| It is my understanding that CP is different from an ALG because with
| an ALG, the ALG rewrites the packet to the destination, while with
| Checkpoint Application Intelligence, they only check if its "safe" to
| pass to the destination.
| 
| If its better or not, remains to be seen.
| 
| Shimon Silberschlag
| 
| +972-3-9351572
| +972-51-207130
| 
| ----- Original Message ----- 
| From: "Frederick M Avolio" <fred () avolio com>
| To: <SimonChan () lifeisgreat com sg>;
| <firewall-wizards () honor icsalabs com>
| Sent: Monday, June 23, 2003 15:18
| Subject: Re: [fw-wiz] Application Intelligent vs ALG
| 
| 
| > A fancy proxy.
| >
| > Three different people from Check Point wrote me in response to a
| recent
| > column of mine, basically asking me if I had heard of this new
| feature.
| >
| > I replied with a brief history. In short: Firewall-1 comes on the
| scene,
| > most FW1 users implement it with modules from the TIS FWTK (for
| adding user
| > authentication to FTP and TELNET), Check Point's marketing says
| proxies are
| > old technology, stateful inspection is the next generation of
| firewall
| > technology (before the term became a product name), people persisted
| in
| > using proxies, CP added "security servers" (proxies by another
| name), and
| > now this.
| >
| > I asked them, how is this different from application gateways
| (security
| > proxies). I applaud the addition of them (like there are other
| hybrid
| > firewalls). But none of the three folks from CP replied to me.
| >
| > I have no agenda, except the truth. (Boy, is this guy noble, or
| what? :-))
| > I'd like to know the answer to this: How this is different than
| application
| > gateways (if it is), and why is it better than Sidewinder, Firebox,
| Raptor,
| > et al.
| >
| >
| > Fred
| > Avolio Consulting, Inc.
| > 16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
| > +1 410-309-6910 (voice) +1 410-309-6911 (fax)
| > http://www.avolio.com/
| > PGP Key Fingerprint:    928D 0903 934F 8CFA 6124
| >                          BBF6 0B45 93C7 3521 CEA0
| >
| > _______________________________________________
| > firewall-wizards mailing list
| > firewall-wizards () honor icsalabs com
| > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
| 
| _______________________________________________
| firewall-wizards mailing list
| firewall-wizards () honor icsalabs com
| http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards