Re: [fw-wiz] Stateful Proxying?

From: Mike Scher (
Date: 03/18/03

  • Next message: Georges Jahchan: "[fw-wiz] Securing www server w/Oracle back end."
    From: Mike Scher <>
    To: "Paul D. Robertson" <>
    Date: Mon, 17 Mar 2003 21:15:13 -0600 (CST)

    On Mon, 17 Mar 2003, Paul D. Robertson wrote:
    > On Mon, 17 Mar 2003, Small, Jim wrote:
    > > While talking about Firewalls and Proxies, I was asked, can you have a
    > > "Stateful Proxy"?
    > True proxies are stateful by their nature, they do TCP state on the hosts'
    > stack, and application level state on the client and server sides of their
    > code.

    A proxy indeed means a stand-between, pretending to be a server to the
    client, and a client to the server. How DEEP it goes beyond L4 (5-7) is a
    matter of, as Paul says, implementation. But a proxy by definition stands
    between and breaks the connection between the two sides of a protocol

    It has to imply state or we're going into marketing mode on the term
    proxy. Perhaps we'd like to redefine state and also protocol while we're
    at it?

    > Sequence numbers are a part of the host stack on a proxy, so yes, it does
    > indeed keep track of them (assuming the stack isn't horribly broken.)

    Heh. A proxy is generally implemented as a userland program on a
    man-in-the-middle (MITM) host, which may also act for traffic-control as
    more than a next-hop router. If the host stack is poorly-implemented, the
    proxy may in effect lower security. I've seen a commercial proxy firewall
    ship on a Linux kernel release that accidentally packaged a test TCP
    initial sequence number (ISN) implementation (predictably additive; for
    test purposes). As a result, the proxy firewall made the TCP sessions
    MORE subject to hijack/spoof abuse.

    > > If a Proxy Server is "stateful" then the difference between a stateful
    > > packet filter and a stateful proxy becomes small indeed. Would you then
    > Like all things computerish, it depends a lot on implementation.

    A Stateful packet filter, at least in common parlance (is there any other
    definition?) goes to L4 -- at BEST. See the NWC sidebar from back in late
    2001 testing various "stateful" firewall implementations
    <> for an idea of how
    much variance there can be just at L4. A proxy covers at least through
    L4, and often has protocol-scrubbing capabilities through detailed
    portions of the protocol's application layer. "Depends a lot on

    > Proxies, filters and hybrids all do differing things, sometimes on the
    > same system for different protocols. There's so much variance in
    > different systems that it's really a bad idea to try to generalize at this
    > point.

    Indeed. That's a great point -- and don't trust marketing uses of the
    terms. Instead, drill down and ask what the firewall DOES. Don't accept
    ill-defined "technical" terms in response to your questions if you need
    specific answers.

    > Don't forget though that some RFCs are better broken from a security
    > context (like parts of FTP if you must allow it at all.)

    Spot on.


    Michael Brian Scher     |     Director, Neohapsis Labs    |     General Counsel
    Fax: 773-394-8314       |     Vox: 773-394-8310
    firewall-wizards mailing list

  • Next message: Georges Jahchan: "[fw-wiz] Securing www server w/Oracle back end."