Re: [fw-wiz] Gauntlet 6 "adaptive proxy"

From: Patrick M. Hausen (
Date: 08/18/04

  • Next message: Gary Flynn: "[fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
    To: "Kevin Kadow" <>
    Date: Wed, 18 Aug 2004 08:59:51 +0200 (CEST)


    Kevin Kadow wrote:

    > I know it's ancient (but vendor supported until 2005), but can
    > anybody share insight into this Gauntlet feature?

    Not so ancient as not to have some of them still running
    here. Since gauntlet-users is de-facto dead, this is probably the
    right place to ask.

    > I'm trying to eke out every bit of performance I can from my old
    > GFW6.0 machines, and have been told that I should turn on
    > "adaptive proxy" to boost HTTP and FTP performance.
    > The docs imply a security trade-off, but do not give details.

    The adaptive proxy is a hybrid approach developed as a reaction
    to market pressure. Application level gateways are so sloooow,
    compared to stateful inspection, you know ;-)

    What it does is roughly this:

    The connection is still routed through the transparency layer
    and up to the proxy serving the protocol in question.
    Three-way-handshake, accept(), all done the regular way.
    The proxy does all the policy checks just as it would in
    the non-adaptive case. Proxies that actually have some layer 7
    intelligence (like http-pdk) will do the configured checks
    ("only GET/POST" or whatever), too.

    Once the connection passed all policy checks, the proxy will
    generate an on-the-fly packet filter rule permitting all
    following packets of the connection through. So from this moment
    on forwarding is done by the packet filter layer avoiding the
    context switches to the proxy process.

    This may allow for some very cleverly composed attacks,
    OTOH it may not. I'm feeling quite comfortable with this aproach
    and use it in most installations today.

    Patrick M. Hausen
    Leiter Netzwerke und Sicherheit

    | EuroBSDCon 2004 in Karlsruhe! |
    | 29. - 31. 10. 2004 |
    | |

    -- GmbH         Internet - Dienstleistungen - Beratung
    Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe
    firewall-wizards mailing list

  • Next message: Gary Flynn: "[fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"