Re: [fw-wiz] Stateful Proxying?

From: David Lang (david.lang@digitalinsight.com)
Date: 03/18/03

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Stateful Proxying?"
    From: David Lang <david.lang@digitalinsight.com>
    To: "Small, Jim" <jim.small@eds.com>
    Date: Mon, 17 Mar 2003 18:25:51 -0800 (PST)
    

    a lot of it depends on the particular proxy or stateful filter you are
    talking about.

    there are proxies that don't look at the content of the payload at all,
    they still break the connection into two parts so whatever games the
    source playes with IP header values don't get to the destination (you do
    have to have the firewall stack able to withstand such attacks in this
    case)

    other proxies go all the way up the stack, a box running sendmail as an
    relay is a proxy for SMTP (not a very secure one, but a proxy), just as a
    box running bind is a proxy for DNS. these proxies definantly look at
    everything, even though they probably don't check for RFC/rules compliance
    very well

    a lot of stateful filter firewalls do very little other then check port
    info against a list of current connections, some do a lot more, although
    most of the time they have helper programs to do the most in-depth
    checking of a protocol (known on other firewalls as proxies, but as many
    of these vendors have spent a lot of money convincing customers that
    proxies are slow and unreliable they frequently call them 'sercurity
    servers' or something similar)

    you really need to decide what protocols you would like to pass through
    the firewalls, and then start looking at what the firewalls will do with
    that particular set of protocols. when you do this include those that you
    would like if they were safe to do, sometimes a vendor will surprise you
    (one vendor for example has a ping proxy that clears the payload of ping
    and ping reply packets so that they are no longer a easy means of covert
    communications, the same vendor has a CIFS proxy that lets you disable
    specific fucntions through it. It so happens I trust CIFS so little that I
    still don't allow it through, but I could see cases where it could be
    helpful)

    David Lang

    On Mon, 17 Mar 2003, Small, Jim wrote:

    > Date: Mon, 17 Mar 2003 17:34:32 -0500
    > From: "Small, Jim" <jim.small@eds.com>
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] Stateful Proxying?
    >
    > While talking about Firewalls and Proxies, I was asked, can you have a
    > "Stateful Proxy"?
    >
    > It seems like a simple enough question, but I was not sure how to answer it.
    > Typically a Proxy Server doesn't forward IP packets, so it must listen for
    > any service it proxies and then "proxy" the service. This almost implies
    > state, doesn't it? But do Proxy servers watch ack and sequence numbers or
    > "keep state" like a stateful packet filter does? Am I thinking about this
    > correctly?
    >
    > If a Proxy Server is "stateful" then the difference between a stateful
    > packet filter and a stateful proxy becomes small indeed. Would you then
    > classify the difference as whether or not the proxy server breaks the
    > connection/circuit and how for up the OSI model it checks and how thoroughly
    > it checks the protocols for RFC/rules conformance?
    >
    > I would greatly appreciate any feedback or pointers.
    >
    > Thanks,
    > <> Jim
    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul D. Robertson: "Re: [fw-wiz] Stateful Proxying?"