Re: [fw-wiz] Stateful Proxying?

From: Darren Reed (darrenr@reed.wattle.id.au)
Date: 03/19/03

  • Next message: George J. Jahchan: "[fw-wiz] Layer 3-7 Firewall."
    From: Darren Reed <darrenr@reed.wattle.id.au>
    To: David Lang <david.lang@digitalinsight.com>
    Date: Wed, 19 Mar 2003 10:44:46 +1100 (EST)
    

    In some email I received from David Lang, sie wrote:
    > even the most basic proxy (the plug-gw from the FWTK for example) is as
    > stateful as most of the stateful filter firewalls out there. the state
    > being refered to is the state of the TCP connection not of the application
    > data.

    Were you present or otherwise have knowledge of the conversation that Jim
    is referring to in order to be able to claim that it's only the TCP state
    that is being referred to ?

    In essence, if "stateful proxy" means the same as "stateful filter" then
    it is really a meaningless conjunction of words as commonly understood
    in the firewall market today. A "stateful proxy" can easily be so much
    more. That's not to say a packet filtering solution can't have a stateful
    proxy either, as indeed the ftp proxy in IPFilter is a stateful proxy.

    btw, I'm pretty sure I could produce instances where plug-gw is less
    stateful than some packet filters because it doesn't maintain all the
    information presented on one side to the other or correctly enforce
    packets arriving at the proxy host to have the same characteristics.

    Anyway, I have more important things to do.

    Darren

    > On Tue, 18 Mar 2003,
    > Darren Reed wrote:
    >
    > > Date: Tue, 18 Mar 2003 23:52:52 +1100 (EST)
    > > From: Darren Reed <darrenr@reed.wattle.id.au>
    > > To: "Small, Jim" <jim.small@eds.com>
    > > Cc: firewall-wizards@honor.icsalabs.com
    > > Subject: Re: [fw-wiz] Stateful Proxying?
    > >
    > > In some email I received from Small, Jim, sie wrote:
    > > > While talking about Firewalls and Proxies, I was asked, can you have a
    > > > "Stateful Proxy"?
    > >
    > > To my way of thinking, if a proxy is stateful then it knows about the
    > > application it is working on behalf of, not just .
    > >
    > > For something like FTP, it might be whether or not the user has made
    > > a successful login or not.
    > >
    > > Of course I might be completely out of step with the rest of the world
    > > on this :-)
    > >
    > > Darren
    > > _______________________________________________
    > > firewall-wizards mailing list
    > > firewall-wizards@honor.icsalabs.com
    > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > >
    >
    > .
    >
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: George J. Jahchan: "[fw-wiz] Layer 3-7 Firewall."

    Relevant Pages

    • Re: [fw-wiz] Evolution of Firewalls
      ... proxy does analysis and reconstructs data ... and stateful ispection system can only decide ... stateful inspection system to miss thing that is not known to it or to ... The proxy output stream, not only general ...
      (Firewall-Wizards)
    • Re: nntp.arcor.de nicht erreichbar?
      ... "what is needed is a firewall that does application filtering, which can be regarded as an extension to stateful packet inspection. ... Proxy betrachten. ...
      (de.sci.electronics)
    • [fw-wiz] Stateful Proxying?
      ... "Stateful Proxy"? ... any service it proxies and then "proxy" the service. ... If a Proxy Server is "stateful" then the difference between a stateful ...
      (Firewall-Wizards)