Re: [fw-wiz] Application Proxy/L7 Firewall Recommendation?

From: Balazs Scheidler (bazsi@balabit.hu)
Date: 09/05/02


From: Balazs Scheidler <bazsi@balabit.hu>
To: Jeff Newton <Jeff_Newton@pmc-sierra.com>
Date: Thu Sep  5 08:31:00 2002

On Wed, Sep 04, 2002 at 07:44:27PM -0700, Jeff Newton wrote:
>
> Can anyone suggest or recommend a sophisticated application-layer proxy?
>
> I'm interested in anything particularly adept at scrubbing HTTP of
> instant message, file sharing, and remote access applications that
> tunnel to bypass traditional security measures.

You might be interested in Zorp. It has really nifty features, and is free
(GNU/GPL).

1. it has really strict proxies
2. you can hook into decision points with its built in script language

This sample demonstrates how to anonimize remove the Http referer header, so
websites who expect a correct referer header still work:

class RefererFilterHttpProxy(HttpProxy):
        def config(self):
                HttpProxy.config(self)
                self.request_headers["Referer"] = (HTTP_REQ_POLICY, self.checkReferer)

        def checkReferer(self, hdr_name, hdr_value):
                self.current_header_value = self.request_url
                return HTTP_HDR_ACCEPT

This will insert the current url as referer, which makes usual referer
checking websites happy, while filtering the real information.

You can do similar tricks with FTP and all the supported protocols.
(anonymous, download only FTP, with a one-way-only data channel)

The GPL version includes protocol proxies for HTTP, FTP, FINGER, WHOIS,
PLUG, TELNET, SSL

And yes SSL means that you can peek into decrypted SSL streams. (url
filtering in HTTPS, anyone?) You can limit CONNECT, or stack in a decrypting
HTTPS proxy within the CONNECT method to avoid instant messengers to go
through your firewall.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1