[431] in Best-of-Security
BoS: AG and SPF differences
daemon@ATHENA.MIT.EDU (Patrick Lee)
Mon Nov 3 22:36:40 1997
Date: Wed, 29 Oct 1997 14:18:46 -0500
From: Patrick Lee <patlee@panix.com>
Old-X-Originally-To: To: firewalls@GreatCircle.COM
Old-X-Originated-From: From: Patrick Lee <patlee@panix.com>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
Can someone tell me the main differences between AG and SPF firewalls from
the perspective that the firewall will be used for incoming traffic. i.e.
I'm not looking for something that'll let my internal users out. Actually
we're looking at two firewalls to sandwich the DMZ with. The one in front
needs primarily HTTP & HTTPS whereas the backend one would need to support
lots of other protocols. Ideally would an AG be better for the front end
and a SPF better for the backend?
If not, what does an AG buy me in the backend? Most AGs don't supported
protocols like RPC, SHTTP, SNMP, SQL*Net, and the usual ones NT uses so
I'll end up using generic proxies for these, right? Does an AG boil down to
simple packet filtering for non-supported protocols?
Even in the front end, what does an AG buy me for primarily *incoming*
traffic? I don't need URL filtering, virus scanning, controlling file
transfers, etc. etc. So in concept I'd agree AGs are more secure because
they have application knowledge. However, do a lot of the things AGs do
make sense for primarily incoming traffic?
Would appreciate any opinion ... even from vendors! 8-)
--
Patrick Lee <pat@patlee.org>
