Re: [fw-wiz] Proxy and Stateful together ??

From: Bennett Todd (bet@rahul.net)
Date: 11/16/02 

From: Bennett Todd <bet@rahul.net>
To: Jean Caron <caronj@norac.net>
Date: Sat Nov 16 09:29:01 2002

2002-11-15-10:19:51 Jean Caron:
> I'd really like to find a true hybrid firewall doing both
> Application Level Proxy and Stateful Packet Filtering, with the
> flexibility of doing either or.

My favourite bastion architecture!

Pick open source base OS of choice; I happen to like Linux, but any
of the *BSDs work as well. Use its builtin stateful packet
filtering, mix and match however tastes best with an assortment of
open source proxies of various sorts. Wherever possible use really
well-written, tightly-secured, high-level application proxies. The
gold standard of this sort would be, for SMTP, qmail and Postfix,
and for DNS, djbdns. All the others are a step down.

Given the difficulty finding really first-rack top quality secure
application-layer proxies, I think SELinux is coming to be an
exceedingly attractive platform for building these gizmos, since it
offers some helpful tools for sandboxing less-perfectly-trusted
daemons. I'd also be tempted to mix in some of the canary stuff from
Immunix (StackGuard and all that).

Might park a snort on it while I was about it, too.

The Olde Fashioned way to pull this off is of course to sandbox the
less-trustworthy application proxies out in separate physical boxes
out on DMZs. Nice if you can afford it:-).

-Bennett