RE: [fw-wiz] on-the-fly-analysis vs. proxy rewrites

From: "Hawkins, Michael" <MHawkins@xxxxxxxxxx>
Date: Wed, 8 Feb 2006 20:57:07 -0500

Marcus,

You keep using SMTP as an example but that is such a small bunch of
RFC's.

What about trying to deal with http which has almost no bounds? There
are two many possible uri's. All of the proxies I've looked (and that's
not many) do very little in the way of breaking down the uri and
handling those various subcomponents (such as java script, activex,
dll's even). It's usually block all java script (useless) or let it all
through (worse than useless).

And what do you do when there are hundreds of nasty DLL's in paths and
hundreds of good ones. I mean, where do you start?

And with all the other demands placed upon my valuable time and
resource, how on earth could someone possibly be expected to parse and
control every nuance within the realm of http? What about parsing the
query? What's safe? What's not?

I feel that the horse has already bolted on that one.

But any suggestions would be gratefully considered.

Mike Hawkins

New York Office: 212-208-3888

White Plains Office: 914-729-2790

Mobile: 917-887-3614

-----Original Message-----
From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx] On Behalf Of Marcus
J. Ranum
Sent: Wednesday, February 08, 2006 7:21 PM
To: Behm, Jeffrey L.; firewall-wizards@xxxxxxxxxxxxxxxxxx
Subject: RE: [fw-wiz] on-the-fly-analysis vs. proxy rewrites

Behm, Jeffrey L. wrote:

My sometimes jaded view is that the proxy rewrites the traffic to
conform to whatever the proxy writer wrote.

Typically, a proxy also only carries a _subset_ of a full protocol.
That's based on a combination of observation and the designer's
assessment of what is "necessary" and "safe". For example,
a proxy might implement basic SMTP for mail collection and
trap all ESMTP commands to a subroutine that only knows
how to return a "command unknown" error. A boundary DNS
proxy might know how to issue queries but might not even
contain code that knows how to do a zone transfer - and
by omitting that code entirely you can be fairly confident
that any vulnerabilities in that code-branch will not work
against the proxy or systems behind it.

A gateway device has absolutely no reason to implement a
full application protocol stack beyond the absolute minimum
necessary to get the data back and forth. So a proxy serves
not only as an application protocol validation sieve, it's also
sort of an application protocol minimizer.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The information contained in this email is confidential and may also contain privileged information. Sender does not waive confidentiality or legal privilege. If you are not the intended recipient please notify the sender immediately; you should not retain this message or disclose its content to anyone.
Internet communications are not secure or error free and the sender does not accept any liability for the content of the email. Although emails are routinely screened for viruses, the sender does not accept responsibility for any damage caused. Replies to this email may be monitored.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Follow-Ups:
- Re: [fw-wiz] on-the-fly-analysis vs. proxy rewrites
  - From: Dave Piscitello

Prev by Date: Re: [fw-wiz] parsing logs ultra-fast inline
Next by Date: RE: [fw-wiz] iptables dnat problem
Previous by thread: Re: [fw-wiz] on-the-fly-analysis vs. proxy rewrites
Next by thread: Re: [fw-wiz] on-the-fly-analysis vs. proxy rewrites
Index(es):
- Date
- Thread

Relevant Pages

Re: how can i implement proxyservers in c#.net
... passing data is valid data or not i want check it. ... Please help me the structure of the proxyserver for HTTP protocol? ... > a proxy for some of them. ...
(microsoft.public.dotnet.languages.csharp)
Re: how can i implement proxyservers in c#.net
... It would help to know what protocol you are wanting to create a proxy for. ... A very abstract database (SQL Server, MySQL, ... a proxy for some of them (HTTP). ...
(microsoft.public.dotnet.languages.csharp)
Re: how can i implement proxyservers in c#.net
... > target server and client machine. ... > Please help me the structure of the proxyserver for HTTP protocol? ... >> It would help to know what protocol you are wanting to create a proxy ...
(microsoft.public.dotnet.languages.csharp)
Re: Transparent Proxy
... Du kannst Squid als SMTP Relay ... Hab ich zwar noch nie gemacht, aber ein offener http ... Transparent Proxy Modus stellt und dann auch andere ...
(microsoft.public.de.german.isaserver)
Re: [Full-Disclosure] Sidewinder G2
... > So if you have a HTTP application level proxy does that mean you are ... that's the server end of an SMTP conversation ... SMTP commands are generated by the SMTP client and sent to the SMTP ... RFC2616 says this about HTTP proxies in section 1.3: ...
(Full-Disclosure)