Re: [fw-wiz] Proxies, opensource and the general market: what's wrong with us?
- From: ArkanoiD <ark@xxxxxxxxx>
- Date: Thu, 28 Apr 2011 01:12:59 +0400
On Wed, Apr 27, 2011 at 01:52:48PM -0700, David Lang wrote:
I think there is some room for a HTTP or XML firewall checker to be
implemented and satisfy a lot of needs (technical needs that is, when
management makes a decision that "all firewalls are going to be Cisco"
or even "all firewalls must be commercial appliances" that trumps all
technical issues), but right now I am not aware of any free tools in
these spaces, completely ignoring the 'learning modes' of many of the
At the moment I am trying to offload non protocol-related http checks to external
ICAP filters.. For XML, I have some raw prototype, but I do not like the fact it
is based on libxml2 and inherits all potential vulnerabilities (as it is a huge
piece of code) and still there is a lack of automated tool that can be used to
"formalize" "normal" xml flow to check for anomalies later. For several well-documented
protocols it is not needed, but aiming at SOA it is probably a must :-(
openfwtk hasn't hit this yet for me as the key thing that I use FWTK
for is the authenticated proxies and the last I checked it doesn't have
an authsrv equivalent (or the ability for it's proxies to tie in to an
You must be missing something, authsrv is the part that required several fixes, so it
is there for sure, a few years at least and it is really improved much. Multiple groups per user are allowed, authentication
sources may be checked against netperm-table (you may write rules that restrict authentication
to a given proxy, or a given host), unix local socket is supported as transport to avoid writing
complicated "loopback prevention" rules, etc etc.
I am thinking about adding radius and/or pam backends support, but still had no time to implement that.
openfwtk also isn't the complete solution that
Arknoid painted it to be, for many things it just says 'use tool X',
which is a good thing to avoid re-inventing the wheel, but it doesn't
result in the firewall API that he is looking for.
Unfortunately it still is not :-( Lack of resources, that's is. Reimplementing full IMSpector, GreenSQL and privoxy
functionality is not non-trivial, it is just time consuming. Until that you need extra tools.
There is noting wrong in the fact you need other tools that are outside OpenFWTK scope, though, like Prelude, log analyzers,
firewall-wizards mailing list
- Prev by Date: Re: [fw-wiz] Proxies, opensource and the general market: what's wrong with us?
- Next by Date: Re: [fw-wiz] Proxies, opensource and the general market: what's wrong with us?
- Previous by thread: Re: [fw-wiz] Proxies, opensource and the general market: what's wrong with us?
- Next by thread: Re: [fw-wiz] Proxies, opensource and the general market: what's wrong with us?