Re: [fw-wiz] Evolution of Firewalls
From: Marcus J. Ranum (mjr_at_ranum.com)
Date: 03/12/04
- Previous message: Mikael Olsson: "Re: [fw-wiz] Evolution of Firewalls"
- In reply to: Chunduru Rama Krishna Prasad: "Re: [fw-wiz] Evolution of Firewalls"
- Next in thread: ArkanoiD: "Re: [fw-wiz] Evolution of Firewalls"
- Reply: ArkanoiD: "Re: [fw-wiz] Evolution of Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Chunduru Rama Krishna Prasad <rkp@intotoinc.com>, <skpoo@pacific.net.sg>, <firewall-wizards@honor.icsalabs.com> Date: Fri, 12 Mar 2004 00:04:16 -0500
> Application proxy firewalls run based on the applications. Example new application comes in market again you have to write new application proxy .
By the way, many of us "old school" proxy firewall guys think this is one
of the main value propositions for a proxy. It means that a set of security
eyes are focused (however briefly) on the protocol that is being gatewayed.
This often pays huge dividends because it seems that most app-protocols
are braindamaged. I remember when Dave Dalva at TIS did some assessment
(as part of our HTTP proxy design) on the NCSA "Mosaic" web browser
and found some absolute howlers of security holes (coded by some genius
named "Andreeson"...) -- this was stuff that everyone else had just rushed
into production with their screening and "stateful multi-blahblah packet blah"
firewalls. When I first started looking at FTP in '89/90 to build my first FTP
proxy, I realized FTP bounce attacks were possible, etc, etc.
Another BIG value of proxies is that they can implement only subsets
of a protocol. Whereas you actually had to try to build a reduced
instruction set FTPD to make a secure(ish) FTP server you could stick
a proxy in the way and only allow RETR and PORT with the destination
equal to the client address. Or you could implement a bare minimum
of an SMTP protocol, as another example. It saves you having to
understand all the security properties of the entire app-protocol stack -
which is sometimes impossible with today's braindamaged protocols.
(e.g.: Anyone understand all of SMB?)
>3. Performance.
This is largely an artifact of popular implementations rather than
a "must be" - I saw some very cool demoes of one of the Seaway
gig-networking app card the other day. It does TCP termination
and what we'd call "transparent proxying" (with IP scrubbing
thrown in) at 4 gigs/sec. That's with the card acting as both
sides of a TCP stack, just like ye olde proxy firewall used to do.
You could write a proxy atop that puppy to process the app-layer
session commands and make a "stateful blah multi-level poo poo
blah blah" firewall look like a paralytic centipede in comparison.
mjr.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Mikael Olsson: "Re: [fw-wiz] Evolution of Firewalls"
- In reply to: Chunduru Rama Krishna Prasad: "Re: [fw-wiz] Evolution of Firewalls"
- Next in thread: ArkanoiD: "Re: [fw-wiz] Evolution of Firewalls"
- Reply: ArkanoiD: "Re: [fw-wiz] Evolution of Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
