Re: [fw-wiz] Evolution of Firewalls
From: ArkanoiD (ark_at_eltex.net)
Date: 03/10/04
- Previous message: Patrick M. Hausen: "Re: [fw-wiz] Evolution of Firewalls"
- Maybe in reply to: skpoo_at_pacific.net.sg: "[fw-wiz] Evolution of Firewalls"
- Next in thread: Shimon Silberschlag: "[fw-wiz] vpn end-point"
- Reply: Shimon Silberschlag: "[fw-wiz] vpn end-point"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Dave Piscitello <dave@corecom.com> Date: Wed, 10 Mar 2004 12:20:39 +0300
nuqneH,
see comment inline:
On Tue, Mar 09, 2004 at 02:32:04PM -0500, Dave Piscitello wrote:
> At 12:24 PM 3/9/2004 +0300, you wrote:
> >There is major difference: proxy does analysis and reconstructs data
> >stream from analysed data, and stateful ispection system can only decide
> >to let it pass or no. The impact is obvious: it is much more likely for
> >stateful inspection system to miss thing that is not known to it or to
> >exploit a bug when inspection system parses data differently from
> >the communication endpoint.
>
> I'm not certain this distinction exists once both proxies and stateful
> inspection systems examine entire an application datum as they now must do.
>
> I agree completely that this distinction exists when you are talking about
> stateful inspection of TCP and IP level packet streams.
> But if we agree that an application datum = application header plus all the
> data associated with that application operation (http response, for
> example), then don't both systems examine the same object? This is the only
> way I know how to interpret "deep packet inspection". Thus an stateful
> inspection firewall can use many of the same rules a proxy has
> traditionally applied to determine if the HTTP GET, for example, contains a
> malformed URL, or a SQL injection attempt, etc.
>
> >The proxy output stream, not only general
> >verdict, depends on parsing results.
If you use "deep packet inspection", you may just try to decode/standardize URL,
bring it to a standard form and check if it looks good and let it pass or not.
If you use application proxy, you may decode/standardize URL, bring it to a
standard form and let pass or not your _decoding result_, not original request,
thus ensuring if there are implementation differences in decoding on the
firewall and on the endpoint it have no effect on policy and standards
compliance.
This applies to every level you examine, including tcp/ip data stream
itself (see fragmentation problems, weird flags, TTL messing and so on).
>
> Sorry, I don't understand this?
>
> >YMMV and it is implementation dependant;
>
> Not familiar with the acronym YMMV
Your mileage may vary
>
> >a bad proxy may implement
> >protocol without proper detalization and a good stateful inspection engine
> >may behave better, but proxy technology in general is clearly superior
> >for real world.
>
> To be honest, I see the distinction blurred in the current generation of
> firewalls, to the extent that I can be persuaded to agree with the claim
> that all firewalls that provide so-called application protection in fact
> proxy traffic.
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Patrick M. Hausen: "Re: [fw-wiz] Evolution of Firewalls"
- Maybe in reply to: skpoo_at_pacific.net.sg: "[fw-wiz] Evolution of Firewalls"
- Next in thread: Shimon Silberschlag: "[fw-wiz] vpn end-point"
- Reply: Shimon Silberschlag: "[fw-wiz] vpn end-point"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
