RE: [fw-wiz] on-the-fly-analysis vs. proxy rewrites



On Friday, February 10, 2006 8:55 AM, Darren Reed so wrote:
On Wednesday, February 08, 2006 5:39, PM Jeff Behm wrote:
On Wednesday, February 08, 2006 1:27 AM, Darren Reed so wrote:

On Tuesday, February 07, 2006 12:50 PM, Dave Piscitello so spake:

An interesting exercise for this list - possibly a new thread? -
is
"what security policies are best enforced by implementing
"on-the-fly
analysis" versus "what security policies are best enforced by
proxy
rewrites".

How is one different to the other ?

How is a proxy not doing something "on the fly" ?

My sometimes jaded view is that the proxy rewrites the traffic to
conform to whatever the proxy writer wrote. Hopefully, that matches
up
with some standard protocol to _provide_ the security. I.E. You get
the
security from the proxy writer having rewritten your traffic. It's
doing
*something,* true, but it's not "checking" anything. It's just not
re-writing any *bad* stuff.

That is still "on the fly". The original question (however flawed it
was), wanted to compare "on the fly" vs proxy. I'd assert that in
nearly all cases, except for SMTP, the proxy IS "on the fly".

Hmmmm...contemplating...should I respond or let this die?...It's only a
small technical point I'm trying to make here anyway...

I can see how one could assert that, but I feel you're leaving off a
very important and meaning-changing word from the OP's question. That
word is "analysis." Proxy stuff *is* on-the-fly, but (IMHO) it is *not*
on-the-fly-analysis, which is what the OP asked to compare. It's just
taking a request and rewriting it to conform to the proxy writer's
interpretation of the standard protocol (as MJR eloquently pointed out,
(paraphrased) "The proxy writer should only implement that part of the
protocol that is absolutely necessary, i.e. a subset of the entire
protocol."). Quote from MJR from another post... "<mjr>So a proxy
serves not only as an application protocol validation sieve, it's also
sort of an application protocol minimizer.</mjr>"

On the fly *analysis* (to me) means looking at the data in the different
layers and verifying they are "correct" (whatever that means) against
the standard. I.E. Analyzing the data. The proxy parses the data and
rewrites it based on the proxy writer's implementation, but the proxy
isn't "enforcing" or analyzing the data. It's just rewriting it to
conform.

A subtle, but important difference that I tried to make when I said
"It's doing something, but it's not checking anything." I should have
changed "checking" to "analyzing." We're really a bit OT chasing a
tangent here, and I almost didn't respond, but I believe it is a
important distinction to make. Also, I'm not sure anyone has really
answered the OQ...

Jeff
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • [fw-wiz] on-the-fly-analysis vs. proxy rewrites
    ... analysis" versus "what security policies are best enforced by proxy ... On-the-fly analysis on the things you know about... ... and proxy rewrites for the things you don't? ...
    (Firewall-Wizards)
  • Re: [fw-wiz] on-the-fly-analysis vs. proxy rewrites
    ... My sometimes jaded view is that the proxy rewrites the traffic to ... with some standard protocol to _provide_ the security. ... security from the proxy writer having rewritten your traffic. ...
    (Firewall-Wizards)
  • Re: [fw-wiz] on-the-fly-analysis vs. proxy rewrites
    ... analysis" versus "what security policies are best enforced by proxy ... rewrites". ... How is a proxy not doing something "on the fly"? ... is anything else handled in that fashion? ...
    (Firewall-Wizards)
  • Re: [fw-wiz] How automate firewall tests
    ... Really - the majority of applications out there have no real ... layer 7 level proxy so you have to tackle the problem from other ... protocol, just a feature set driven by a bunch of commands ... that packet-oriented firewalls suck is because they're locked ...
    (Firewall-Wizards)
  • Advice on writing an instant messaging proxy
    ... the next time the user connects to the proxy. ... disconnection to the AIM (or whatever other chat protocol) server, ... client to server as if client was always connected, ...
    (comp.programming)