Re: [fw-wiz] Stateful Proxying?

From: Mike Scher (mscher@neohapsis.com)
Date: 03/18/03

  • Next message: Georges Jahchan: "[fw-wiz] Securing www server w/Oracle back end."
    From: Mike Scher <mscher@neohapsis.com>
    To: "Paul D. Robertson" <proberts@patriot.net>
    Date: Mon, 17 Mar 2003 21:15:13 -0600 (CST)
    

    On Mon, 17 Mar 2003, Paul D. Robertson wrote:
    > On Mon, 17 Mar 2003, Small, Jim wrote:
    > > While talking about Firewalls and Proxies, I was asked, can you have a
    > > "Stateful Proxy"?
    >
    > True proxies are stateful by their nature, they do TCP state on the hosts'
    > stack, and application level state on the client and server sides of their
    > code.

    A proxy indeed means a stand-between, pretending to be a server to the
    client, and a client to the server. How DEEP it goes beyond L4 (5-7) is a
    matter of, as Paul says, implementation. But a proxy by definition stands
    between and breaks the connection between the two sides of a protocol
    conversation.

    It has to imply state or we're going into marketing mode on the term
    proxy. Perhaps we'd like to redefine state and also protocol while we're
    at it?

    > Sequence numbers are a part of the host stack on a proxy, so yes, it does
    > indeed keep track of them (assuming the stack isn't horribly broken.)

    Heh. A proxy is generally implemented as a userland program on a
    man-in-the-middle (MITM) host, which may also act for traffic-control as
    more than a next-hop router. If the host stack is poorly-implemented, the
    proxy may in effect lower security. I've seen a commercial proxy firewall
    ship on a Linux kernel release that accidentally packaged a test TCP
    initial sequence number (ISN) implementation (predictably additive; for
    test purposes). As a result, the proxy firewall made the TCP sessions
    MORE subject to hijack/spoof abuse.

    > > If a Proxy Server is "stateful" then the difference between a stateful
    > > packet filter and a stateful proxy becomes small indeed. Would you then
    >
    > Like all things computerish, it depends a lot on implementation.

    A Stateful packet filter, at least in common parlance (is there any other
    definition?) goes to L4 -- at BEST. See the NWC sidebar from back in late
    2001 testing various "stateful" firewall implementations
    <http://www.networkcomputing.com/1223/1223f26.html> for an idea of how
    much variance there can be just at L4. A proxy covers at least through
    L4, and often has protocol-scrubbing capabilities through detailed
    portions of the protocol's application layer. "Depends a lot on
    implementation."

    > Proxies, filters and hybrids all do differing things, sometimes on the
    > same system for different protocols. There's so much variance in
    > different systems that it's really a bad idea to try to generalize at this
    > point.

    Indeed. That's a great point -- and don't trust marketing uses of the
    terms. Instead, drill down and ask what the firewall DOES. Don't accept
    ill-defined "technical" terms in response to your questions if you need
    specific answers.

    > Don't forget though that some RFCs are better broken from a security
    > context (like parts of FTP if you must allow it at all.)

    Spot on.

          -M

    -- 
    Michael Brian Scher     |     Director, Neohapsis Labs
    mscher@neohapsis.com    |     General Counsel
    Fax: 773-394-8314       |     Vox: 773-394-8310
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Georges Jahchan: "[fw-wiz] Securing www server w/Oracle back end."

    Relevant Pages