Re: [fw-wiz] Gauntlet 6 "adaptive proxy"
From: Patrick M. Hausen (hausen_at_punkt.de)
To: "Kevin Kadow" <email@example.com> Date: Wed, 18 Aug 2004 08:59:51 +0200 (CEST)
Kevin Kadow wrote:
> I know it's ancient (but vendor supported until 2005), but can
> anybody share insight into this Gauntlet feature?
Not so ancient as not to have some of them still running
here. Since gauntlet-users is de-facto dead, this is probably the
right place to ask.
> I'm trying to eke out every bit of performance I can from my old
> GFW6.0 machines, and have been told that I should turn on
> "adaptive proxy" to boost HTTP and FTP performance.
> The docs imply a security trade-off, but do not give details.
The adaptive proxy is a hybrid approach developed as a reaction
to market pressure. Application level gateways are so sloooow,
compared to stateful inspection, you know ;-)
What it does is roughly this:
The connection is still routed through the transparency layer
and up to the proxy serving the protocol in question.
Three-way-handshake, accept(), all done the regular way.
The proxy does all the policy checks just as it would in
the non-adaptive case. Proxies that actually have some layer 7
intelligence (like http-pdk) will do the configured checks
("only GET/POST" or whatever), too.
Once the connection passed all policy checks, the proxy will
generate an on-the-fly packet filter rule permitting all
following packets of the connection through. So from this moment
on forwarding is done by the packet filter layer avoiding the
context switches to the proxy process.
This may allow for some very cleverly composed attacks,
OTOH it may not. I'm feeling quite comfortable with this aproach
and use it in most installations today.
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
| EuroBSDCon 2004 in Karlsruhe! |
| 29. - 31. 10. 2004 |
| http://www.eurobsdcon2004.de/ |
-- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards