Re: [fw-wiz] Stateful Proxying?
From: Mike Scher (mscher@neohapsis.com)
Date: 03/18/03
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] Stateful Proxying?"
- In reply to: Paul D. Robertson: "Re: [fw-wiz] Stateful Proxying?"
- Next in thread: Marcus J. Ranum: "Re: [fw-wiz] Stateful Proxying?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Mike Scher <mscher@neohapsis.com> To: "Paul D. Robertson" <proberts@patriot.net> Date: Mon, 17 Mar 2003 21:15:13 -0600 (CST)
On Mon, 17 Mar 2003, Paul D. Robertson wrote:
> On Mon, 17 Mar 2003, Small, Jim wrote:
> > While talking about Firewalls and Proxies, I was asked, can you have a
> > "Stateful Proxy"?
>
> True proxies are stateful by their nature, they do TCP state on the hosts'
> stack, and application level state on the client and server sides of their
> code.
A proxy indeed means a stand-between, pretending to be a server to the
client, and a client to the server. How DEEP it goes beyond L4 (5-7) is a
matter of, as Paul says, implementation. But a proxy by definition stands
between and breaks the connection between the two sides of a protocol
conversation.
It has to imply state or we're going into marketing mode on the term
proxy. Perhaps we'd like to redefine state and also protocol while we're
at it?
> Sequence numbers are a part of the host stack on a proxy, so yes, it does
> indeed keep track of them (assuming the stack isn't horribly broken.)
Heh. A proxy is generally implemented as a userland program on a
man-in-the-middle (MITM) host, which may also act for traffic-control as
more than a next-hop router. If the host stack is poorly-implemented, the
proxy may in effect lower security. I've seen a commercial proxy firewall
ship on a Linux kernel release that accidentally packaged a test TCP
initial sequence number (ISN) implementation (predictably additive; for
test purposes). As a result, the proxy firewall made the TCP sessions
MORE subject to hijack/spoof abuse.
> > If a Proxy Server is "stateful" then the difference between a stateful
> > packet filter and a stateful proxy becomes small indeed. Would you then
>
> Like all things computerish, it depends a lot on implementation.
A Stateful packet filter, at least in common parlance (is there any other
definition?) goes to L4 -- at BEST. See the NWC sidebar from back in late
2001 testing various "stateful" firewall implementations
<http://www.networkcomputing.com/1223/1223f26.html> for an idea of how
much variance there can be just at L4. A proxy covers at least through
L4, and often has protocol-scrubbing capabilities through detailed
portions of the protocol's application layer. "Depends a lot on
implementation."
> Proxies, filters and hybrids all do differing things, sometimes on the
> same system for different protocols. There's so much variance in
> different systems that it's really a bad idea to try to generalize at this
> point.
Indeed. That's a great point -- and don't trust marketing uses of the
terms. Instead, drill down and ask what the firewall DOES. Don't accept
ill-defined "technical" terms in response to your questions if you need
specific answers.
> Don't forget though that some RFCs are better broken from a security
> context (like parts of FTP if you must allow it at all.)
Spot on.
-M
-- Michael Brian Scher | Director, Neohapsis Labs mscher@neohapsis.com | General Counsel Fax: 773-394-8314 | Vox: 773-394-8310 _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] Stateful Proxying?"
- In reply to: Paul D. Robertson: "Re: [fw-wiz] Stateful Proxying?"
- Next in thread: Marcus J. Ranum: "Re: [fw-wiz] Stateful Proxying?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
