Re: [fw-wiz] Query: Why bother with an application proxy over stateful packet filtering?
- From: william fitzgerald <wfitzgerald@xxxxxxxx>
- Date: Mon, 27 Aug 2007 16:36:00 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks Andy.
You've given me food for thought.
First point:
While agree with you view of controlling telnet or in appropriate
protocols across a firewall as compared with using a more fine grained
web proxy, i can still by pass the proxy via "httptunnel" for example.
So both proxy and firewall can be equally subverted internally via out
bound traffic to a rogue service listening on a http port.
Second Point:
also iptables could use its "string matching" to filter in appropriate
sites that match content keywords or even based on a black-hole list.
I guess I am still struggling to see any real benefits as of right now
apart from the obvious web caching abilities but thats not what this
discussion is about.
I will dig deeper, starting with Patrick Hausen's reading list (previous
post reply) first and move from there.
regards,
Will.
PS: i drive a Mazda B2500 4X4. I too am interested in 4x4's also and I
plan on getting an old cheap jeep to enjoy some off-roading as a hobby.
Andy Cunningham wrote:
william fitzgerald nearly made me spill my Shiraz on 08/27/2007 03:05 PM
by writing:
-----BEGIN PGP SIGNED MESSAGE-----The two usual reasons are protocol enforcement and content filtering.
Hash: SHA1
Dear Experts,
I am interested in knowing ore about network access control via various
kinds of firewalls.
I am wondering why would the be a need to web up a proxy such as a web
proxy (Squid) instead of just using a stateful packet filtering firewall
(iptables) only in a network?
A stateful packet inspection firewall will allow anything you like once
the initial TCP handshake has been approved, so there's nothing stopping
me setting up a telnet server on port 80 and connecting to that from
inside the office. If the only thing allowed to communicate to the
firewall is the proxy server, you know you're only ever doing http.
There are a number of plugins for proxy servers that mean you can filter
inappropriate sites and otherwise control access in ways a pure firewall
can't. Some of this functionality is available in some newer firewalls
systems if you want a single device.
Hope that helps.
Andy
- --
William M. Fitzgerald,
PhD Student,
Telecommunications Software & Systems Group,
ArcLabs Research and Innovation Centre,
Waterford Institute of Technology,
WIT West Campus,
Carriganore,
Waterford.
Office Ph: +353 51 302937
Mobile Ph: +353 87 9527083
Web: www.williamfitzgerald.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG0u9fIcwlebz1MmwRAnwcAKDV1HGEStrEAoByig3iHKDx3xqLtACgycxc
XHQbBu8SUU0uGyNdODoCvQI=
=KRqS
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- References:
- [fw-wiz] Query: Why bother with an application proxy over stateful packet filtering?
- From: william fitzgerald
- [fw-wiz] Query: Why bother with an application proxy over stateful packet filtering?
- Prev by Date: Re: [fw-wiz] Query: Why bother with an application proxy over stateful packet filtering?
- Next by Date: Re: [fw-wiz] ***SPAM*** Re: IPv6 support in firewalls
- Previous by thread: Re: [fw-wiz] Query: Why bother with an application proxy over stateful packet filtering?
- Next by thread: Re: [fw-wiz] Query: Why bother with an application proxy over stateful packet filtering?
- Index(es):
Relevant Pages
|
|
