Re: [fw-wiz] Recommended Open Source Proxy Firewalls

Hi, all!

On Sun, Jul 08, 2007 at 09:34:22AM -0700, Mathew Brown wrote:
I just finished reading Marcus Ranum's very interesting paper -
- comparing "deep packet inspection firewalls" with "proxy firewalls"
and was interested in investigating open source "proxy firewalls". Do
open source proxy firewalls even exist, and if so, which would you
recommend and why? Thank you for your help.

Well, IMHO this question is not a simple one to answer, because
as soon as I'm thinking about the first fact I might want to
tell you, I feel like opening Pandora's box ;-) Where to start ..?

OK, first: I do not know of any more or less polished "product" that
would fit the term "Open Source Application Level Gateway" and meet
today's standards.

Go and get a copy of "Firewalls and Internet Security" by Steve Bellovin
and Bill Cheswick. It tells you almost everything you need to know to
build your own. At least it will tell you all the principles and
concepts. They have not changed that much in the last years, despite
vendors hyping a new "technology" every other year or so.

The problem with real application level gateways is: you need to
"support" a whole bunch of applications that are inherently
insecure. So while I believe that you can build a reasonably
strong proxy for HTTP, because the protocol is ubiqitous, reasonably
well understood, and there are a lot of plugins for e.g. the
Squid proxy, that implement MIME filtering, virus checking ...,
for many other real world applications you are out of luck.

Reason being that the protocols themselves are propriatary.
Which is a bad thing when you think about security. Still they
exist and people will want to run them through your firewall
and - and this is the most important point - if they are not
completely brain washed by the security industry, they will
expect the firewall (i.e. the particular proxy) to know what
it's doing. E.g. an Oracle proxy for database access over the
net could only permit certain configurable databases (SIDs in
Oracle speak) to be accessed by a certain client.
You will probably need to sign an NDA with Oracle to get enough
information to wactually go and write such a proxy. And even
if you figure it out yourself, they might sue you ;-)

So if you insist on using open source you end up with a
"TCP plug" proxy. You could just use a static packet filter
with a little bit of "SYN/ACK/established" brains instead.
There really isn't that much difference, save possibly IP
fragment tricks and similar low level stuff.

Unfortunately the majority of application layer firewall
vendors discredited themselves years ago, shipping products
that had advanced understanding of the underlying protocol
only for some simple and common stuff: HTTP, FTP, Telnet,
End of List. Even Gauntlet 6.0 implemented the HTTPS "proxy"
as a simple TCP plug. As I said, there's probably nothing won
by this. IIRC, Marcus once called that the "dirty little
secret" of ALG vendors. Gauntlet was better than a simple
NAT gateway, though, because of its "default deny" policy
instead of "anything initiated from inside must be 'good'".
But not much. At least not if matched against today's threats
which are mostly targeted at the application.

I'm selling a particular ALG (Sidewinder by Secure Computing)
and to most potential customers I have to explain these
concepts carefully and in depth, and demonstrate just how
many filtering capabilities my product really has - because
they have been trained into thinking that firewalls are about
permitting or denying "ports".

E.g. the Sidewinder's HTTPS proxy enforces a proper TLS handshake
when the connection is initiated. It cannot work magic, so once
the encryption is in place, it's just as blind about the content
as a plug, but at least it enforces protocol. So: Skype does
not work through a Sidewinder in default configuration. I consider
that a feature. Skype uses a propriatary encrypted protocol over
port 443, because most packet filtering firewalls or adaptive
deep inspection whatever thingies just leave that port wide open
for everything. And you can add SSL decryption and man-in-the-middle
your connections to do real content inspection even on HTTPS.

I don't want to just endorse Sidewinder's merits, I just want to
give you a picture of what it takes to build an application
level gateway that matches today's threats.

And that's for every single application! You need an MS-SQL
proxy that understands MS-SQL. Want netmeeting? You need a
proxy that speaks H.323 and T.120. As I said ... Pandora's box.

So, for historical and technical studies, you could look here:

But don't expect it to match up against Sidewinder or Cyberguard
or other commercial offerings.

And as much as I prefer Sidewinder over every competing product
I've seen so far: it still does much too little! I'd love to
have an HTTP proxy that takes a set of regular expressions to
match against URLs that are permitted to be fetched from a
protected web server and denies everything else.
Just as a start. I can think of many more things an ALG could do. ;-)

-- GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
Gf: Jürgen Egeling AG Mannheim 108285
firewall-wizards mailing list