Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
RE: [suse-security] YAST and updates
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Mon, 19 Aug 2002 12:23:37 +0200
  • Message-id: <96C102324EF9D411A49500306E06C8D101989539@xxxxxxxxxxxxxxxxx>
> Why is it preferrable to use a proxy instead of the
> appropriate firewall
> module.

It's preferrable IMHO and if the proxy is designed with security in mind. In
my and some others' opinions, application layer gateways offer better
protection than stateful or dumb packet filters. Ideally, you'll combine an
ALG with a packet filter.

One reason that I consider ALGs more secure than stateful filters is that
they're able to deal with application protocol complexities. Stateful
filters typically have a much more limited context, often only the TCP
segment or UDP datagram they're currently processing. As such, they can hope
to correctly identify PORT and other FTP control statements, but they should
also be easier to trick into wrong behaviour.

There have been numerous errors in stateful engines, some of them having to
do with FTP, one of which allowed an attacker to access any TCP port on (at
least, I don't remember well enough) the FTP server, by fragmenting PORT
commands. The fix chosen in all stateful filters I know of, which is to
allow only PORT commands enclosed within a single TCP segment or IP packet
(don't remember which exactly, but it's irrelevant to the point), is a
kludge, IMHO.

Tobias

< Previous Next >