Re: [fw-wiz] Gauntlet 6 "adaptive proxy"

From: Patrick M. Hausen (hausen_at_punkt.de)
Date: 08/18/04

  • Next message: Gary Flynn: "[fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"
    To: "Kevin Kadow" <kevin@msg.net>
    Date: Wed, 18 Aug 2004 08:59:51 +0200 (CEST)
    
    

    Hello!

    Kevin Kadow wrote:

    > I know it's ancient (but vendor supported until 2005), but can
    > anybody share insight into this Gauntlet feature?

    Not so ancient as not to have some of them still running
    here. Since gauntlet-users is de-facto dead, this is probably the
    right place to ask.

    > I'm trying to eke out every bit of performance I can from my old
    > GFW6.0 machines, and have been told that I should turn on
    > "adaptive proxy" to boost HTTP and FTP performance.
    >
    > The docs imply a security trade-off, but do not give details.

    The adaptive proxy is a hybrid approach developed as a reaction
    to market pressure. Application level gateways are so sloooow,
    compared to stateful inspection, you know ;-)

    What it does is roughly this:

    The connection is still routed through the transparency layer
    and up to the proxy serving the protocol in question.
    Three-way-handshake, accept(), all done the regular way.
    The proxy does all the policy checks just as it would in
    the non-adaptive case. Proxies that actually have some layer 7
    intelligence (like http-pdk) will do the configured checks
    ("only GET/POST" or whatever), too.

    Once the connection passed all policy checks, the proxy will
    generate an on-the-fly packet filter rule permitting all
    following packets of the connection through. So from this moment
    on forwarding is done by the packet filter layer avoiding the
    context switches to the proxy process.

    This may allow for some very cleverly composed attacks,
    OTOH it may not. I'm feeling quite comfortable with this aproach
    and use it in most installations today.

    HTH,
    Patrick M. Hausen
    Leiter Netzwerke und Sicherheit

    +-----------------------------------+
    | EuroBSDCon 2004 in Karlsruhe! |
    | 29. - 31. 10. 2004 |
    | http://www.eurobsdcon2004.de/ |
    +-----------------------------------+

    -- 
    punkt.de GmbH         Internet - Dienstleistungen - Beratung
    Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe       http://punkt.de
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Gary Flynn: "[fw-wiz] Top Secret DOD Data over the Public Internet? Thoughts?"

    Relevant Pages

    • Re: How to do non dependence on database vendor?
      ... >> You could actually get away with only a single proxy if you use ... there would be a performance hit to using Reflection. ... > The interface approach seems more scalable and contained. ... >> That would make up a layer between the business logic and the data layer, ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: How to do non dependence on database vendor?
      ... >>> You could actually get away with only a single proxy if you use ... >> The interface approach seems more scalable and contained. ... >>> layer, focusing on storing and retrieval of the explicit data, but free ... >>> the future want to make use of another DB than those supporting SQL. ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: IDS vs Application Proxy Firewall
      ... An application proxy is a non-transparent device working inline at the ... is a transparent device which works at the network and transport ... layer, usually as a sniffer. ... such as cross-site scripting attacks in ...
      (Focus-IDS)
    • Re: Types of firewall...
      ... > I'm currently working on a firewalls project as part of my degree. ... Static packet filter ... > 2.1 Circuit level proxy ... Packet filtering bridges are firewalls, and even network firewalls, ...
      (comp.security.firewalls)
    • Re: Time synchronisaton from SBS2k3 to stratum 2 time source
      ... I have the packet filter open for UDP 123 traffic. ... W32TIME runs under the local system account. ... There is a knowledgebase article that talks about changing ACLs on the proxy ... has not been updated for ISA (don't Microsoft ever test out what their Kb ...
      (microsoft.public.windows.server.sbs)