Re: [fw-wiz] Stateful Proxying?

From: David Lang (david.lang@digitalinsight.com)
Date: 03/18/03

  • Next message: Paul D. Robertson: "Re: [fw-wiz] Stateful Proxying?"
    From: David Lang <david.lang@digitalinsight.com>
    To: "Small, Jim" <jim.small@eds.com>
    Date: Mon, 17 Mar 2003 18:25:51 -0800 (PST)
    

    a lot of it depends on the particular proxy or stateful filter you are
    talking about.

    there are proxies that don't look at the content of the payload at all,
    they still break the connection into two parts so whatever games the
    source playes with IP header values don't get to the destination (you do
    have to have the firewall stack able to withstand such attacks in this
    case)

    other proxies go all the way up the stack, a box running sendmail as an
    relay is a proxy for SMTP (not a very secure one, but a proxy), just as a
    box running bind is a proxy for DNS. these proxies definantly look at
    everything, even though they probably don't check for RFC/rules compliance
    very well

    a lot of stateful filter firewalls do very little other then check port
    info against a list of current connections, some do a lot more, although
    most of the time they have helper programs to do the most in-depth
    checking of a protocol (known on other firewalls as proxies, but as many
    of these vendors have spent a lot of money convincing customers that
    proxies are slow and unreliable they frequently call them 'sercurity
    servers' or something similar)

    you really need to decide what protocols you would like to pass through
    the firewalls, and then start looking at what the firewalls will do with
    that particular set of protocols. when you do this include those that you
    would like if they were safe to do, sometimes a vendor will surprise you
    (one vendor for example has a ping proxy that clears the payload of ping
    and ping reply packets so that they are no longer a easy means of covert
    communications, the same vendor has a CIFS proxy that lets you disable
    specific fucntions through it. It so happens I trust CIFS so little that I
    still don't allow it through, but I could see cases where it could be
    helpful)

    David Lang

    On Mon, 17 Mar 2003, Small, Jim wrote:

    > Date: Mon, 17 Mar 2003 17:34:32 -0500
    > From: "Small, Jim" <jim.small@eds.com>
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] Stateful Proxying?
    >
    > While talking about Firewalls and Proxies, I was asked, can you have a
    > "Stateful Proxy"?
    >
    > It seems like a simple enough question, but I was not sure how to answer it.
    > Typically a Proxy Server doesn't forward IP packets, so it must listen for
    > any service it proxies and then "proxy" the service. This almost implies
    > state, doesn't it? But do Proxy servers watch ack and sequence numbers or
    > "keep state" like a stateful packet filter does? Am I thinking about this
    > correctly?
    >
    > If a Proxy Server is "stateful" then the difference between a stateful
    > packet filter and a stateful proxy becomes small indeed. Would you then
    > classify the difference as whether or not the proxy server breaks the
    > connection/circuit and how for up the OSI model it checks and how thoroughly
    > it checks the protocols for RFC/rules conformance?
    >
    > I would greatly appreciate any feedback or pointers.
    >
    > Thanks,
    > <> Jim
    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul D. Robertson: "Re: [fw-wiz] Stateful Proxying?"

    Relevant Pages

    • ~~~~~~~~~~~~~~ NEW PROXY ~~~~~~~~~~~~~~
      ... 2008 new myspace proxy ... 2009 new internet proxies ... american web proxy new list ... brand new proxy lists ...
      (sci.anthropology)
    • Re: NFS Authentication
      ... I normally use a client such as Chameleon ... >> to a separate 'PCNFS' authentication daemon which then uses the proxy ... >> but it certainly is an ordeal for me to get the proxies right these days. ... Using PCNFS means that you need a username and password to get ...
      (comp.os.vms)
    • [Full-disclosure] Insecure Defaults In PPLiveAV Client
      ... Anyone who has followed public proxy lists in the past year has noticed ... proxies from these public lists. ... and pockets of the US where Chinese is likely to be spoken. ... These proxies are built into the PPLiveAV client to retrieve an internal ...
      (Full-Disclosure)
    • Re: Are There Any Web Based Remailers Left?
      ... my method of a well-applied four-hop proxy (3 Tor ... Header stripping is not anonymity. ... And you won't find my end proxies in Tor's directories! ...
      (alt.privacy)
    • Re: S: IRC-Client mit guter Proxy-Unterstuetzung
      ... Wenn Du mit einer unsicheren Kiste im Netz bist, dann ist ein Proxy nix, ... Denn die Proxies, die es zuhauf in irgendwelchen Listen zu finden gibt ... Für IRC unbrauchbar, wie gesagt. ... Next by Date: ...
      (de.comp.os.unix.apps.misc)