Re: [fw-wiz] Application Intelligent vs ALG

From: Adam Shostack (adam_at_homeport.org)
Date: 06/24/03

  • Next message: ark_at_eltex.net: "Re: [fw-wiz] Application Intelligent vs ALG" 
    To: Shimon Silberschlag <shimons@bll.co.il>
Date: Tue, 24 Jun 2003 11:58:26 -0400

    I think we can see if it's better or not by applying intelligence.

    If by better, we mean "resists more attacks," then a real
    proxy which terminates the connection and re-builds it will catch all
    the attacks which the inspect code can, plus some set of attacks where
    the proxy author doesn't copy things the same way the app does;
    perhaps reducing integer wrap-around problems.

    If by better, we mean "faster," then an inspection engine which
    copies, inspects and sends the original is going to be faster than a
    proxy which copies, inspects, corrects, and sends, assuming that the
    inspections are equal.

    Only if by better, we mean "no one ever got fired for buying this,"
    then the jury is still out.

    All three are valid meanings of better.

    Adam

    On Tue, Jun 24, 2003 at 09:10:02AM +0200, Shimon Silberschlag wrote:
    | It is my understanding that CP is different from an ALG because with
    | an ALG, the ALG rewrites the packet to the destination, while with
    | Checkpoint Application Intelligence, they only check if its "safe" to
    | pass to the destination.
    |
    | If its better or not, remains to be seen.
    |
    | Shimon Silberschlag
    |
    | +972-3-9351572
    | +972-51-207130
    |
    | ----- Original Message -----
    | From: "Frederick M Avolio" <fred@avolio.com>
    | To: <SimonChan@lifeisgreat.com.sg>;
    | <firewall-wizards@honor.icsalabs.com>
    | Sent: Monday, June 23, 2003 15:18
    | Subject: Re: [fw-wiz] Application Intelligent vs ALG
    |
    |
    | > A fancy proxy.
    | >
    | > Three different people from Check Point wrote me in response to a
    | recent
    | > column of mine, basically asking me if I had heard of this new
    | feature.
    | >
    | > I replied with a brief history. In short: Firewall-1 comes on the
    | scene,
    | > most FW1 users implement it with modules from the TIS FWTK (for
    | adding user
    | > authentication to FTP and TELNET), Check Point's marketing says
    | proxies are
    | > old technology, stateful inspection is the next generation of
    | firewall
    | > technology (before the term became a product name), people persisted
    | in
    | > using proxies, CP added "security servers" (proxies by another
    | name), and
    | > now this.
    | >
    | > I asked them, how is this different from application gateways
    | (security
    | > proxies). I applaud the addition of them (like there are other
    | hybrid
    | > firewalls). But none of the three folks from CP replied to me.
    | >
    | > I have no agenda, except the truth. (Boy, is this guy noble, or
    | what? :-))
    | > I'd like to know the answer to this: How this is different than
    | application
    | > gateways (if it is), and why is it better than Sidewinder, Firebox,
    | Raptor,
    | > et al.
    | >
    | >
    | > Fred
    | > Avolio Consulting, Inc.
    | > 16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
    | > +1 410-309-6910 (voice) +1 410-309-6911 (fax)
    | > http://www.avolio.com/
    | > PGP Key Fingerprint: 928D 0903 934F 8CFA 6124
    | > BBF6 0B45 93C7 3521 CEA0
    | >
    | > _______________________________________________
    | > firewall-wizards mailing list
    | > firewall-wizards@honor.icsalabs.com
    | > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    |
    | _______________________________________________
    | firewall-wizards mailing list
    | firewall-wizards@honor.icsalabs.com
    | http://honor.icsalabs.com/mailman/listinfo/firewall-wizards 

    -- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: ark_at_eltex.net: "Re: [fw-wiz] Application Intelligent vs ALG"

    Relevant Pages

    • [fw-wiz] Transparent proxies and PMTUD on the (WWW) server side
      ... The only connection to the Internet takes place through a single ... Gauntlet or the new Sidewinder G2 that is strictly proxy based ... in the default configuration but transparent to the client workstation. ... - the ALG checks if the client is permitted that connection and, ...
      (Firewall-Wizards)
    • RE: tcp/udp proxy tool
      ... You can download it from: ... I wonder if you know any tool similar to Paros Proxy but for TCP/UDP. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • Re: [fw-wiz] Evolution of Firewalls
      ... proxy does analysis and reconstructs data ... and stateful ispection system can only decide ... stateful inspection system to miss thing that is not known to it or to ... The proxy output stream, not only general ...
      (Firewall-Wizards)
    • RE: [Full-Disclosure] Sidewinder G2 Thanks and a question or two
      ... >>the HTTP proxy a generic proxy in function. ... >>violation style attacks weren't blocked at all. ... DNS, SQL*Net proxies for protocol violations, overlly long headers ... There are, of course, limitations in the proxies and won't stop all attacks, ...
      (Full-Disclosure)
    • Re: local proxy udp 53
      ... A proxy that rewrites request to another request can worse the service response time....... ... If you want to do a test over proxy it seems good, but if you need a proxy to offers a service, I think that is better configure a dns cache. ... Additionally there should be a server listening on port 53 UDP answering all requests the client is sending. ... Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. ...
      (Pen-Test)