Re: [fw-wiz] Firewalls that generate new packets..



I am well aware that Squid does not do all of the previous--
it is an application proxy. Application level proxies, or
the equivalent, are the best form of deep packet inspectors.
The rest of the Stateful with deep packet inspection would be
what is more traditionally thought of as a firewall. They
would not substitute for one another, but instead complement
each other.

I would not look at Squid as a security device - I cannot imagine a
security proxy written for HTTP as it stands today. In order to have
any install base, HTTP proxy can, at most, implement ACLs/user auth with
content filtering and some spam, maybe some cookie encription/info leakage
prevention, but cannot really limit the protocol. Squid and most popular
http proxies are http caches/load balancers but not security devices.

I am not the authority on the subject but, if I am correct, the first
firewalls did not even have packet filters - traffic went through a proxy,
and protocols that were not supported/proxy friendly were transfered via
some kind of authenticated IP replay thingey (or was it decnet to IP
bridge?). DMZ was for housing computers used to connect to the outside
(shellboxes), as they were "tainted". Now - that's secure design! Same
for traffic leaving the network. Caveat: I may be wayyy incorrect here,
I cannot find much info available about the history of
firewalls. (I will gladly take beating, just point me to the docs..).

And now, we slap a NATing router with some ACLs, AV, caching proxy,
sieve-like egress filtering and call it a firewall.

Everyoen loves war stories: I do consulting sometimes, and last time it
was for a place with IDS, IPS, 3 AV subscriptions, HTTP proxy, split
horizon DNS, 2 (!) layers of firewalls (statefull), encrypted and
unencrypted wireless, NAC and traffic shaper. The bad guys still got in!
How you ask? Easy: via HTTP/s, dns, smtp (traffic on all the protocols
was proxied, in and out).

--
Marcin Antkiewicz
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • HTTP PROXY
    ... proxy https ... http proxies ... proxies https for facebook ... proxy http ip lists ...
    (sci.geo.mineralogy)
  • RE: Which Proxy Server....
    ... HTTP, FTP, Telnet, SSL, NNTP and E-Mail all use TCP and can be easily ... MANY proxy servers exists for this purpose. ...
    (Security-Basics)
  • [SubWeb] NEW http proxy/reverse proxy
    ... SubWeb is a proxy. ... HTTP flows in the line of HTTPush, ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Error 49, socket problem?
    ... lo0: flags=8049mtu 16384 ... proxy: HTTP: attempt to connect to 127.0.0.1:81 failed ... based apps on the server fail, yet nothing in /var/log/messages indicating a ...
    (freebsd-net)
  • Re: Problems Authorizing Windows Updates
    ... Windows Update when you authorize passage of HTTP, HTTPS, and FTP to ... I normally authorize these URLs for both http: and https: ... We use NAT on the firewall for all outgoing connections, and a proxy ...
    (comp.security.firewalls)