Re: [fw-wiz] Proxies, opensource and the general market: what's wrong with us?

On 04/27/2011 10:52 PM, David Lang wrote:

however, as proxy firewalls are dieing, new devices with the type of
checking that proxies do are becoming more common.

I don't think so. No product that I'm aware of has the same "default
deny" on the low level attacks that a proxy has. Again, the recent
"split handshake" problems are a clear example: packet filters "try to
guess" the proper session state, while there is no way to cheat a proxy
into letting a connection in if it's not permitted (up to TCP/UDP, I
mean). Packet-handling tools, be it filters, IDS or something else,
however, are probably "good enough" for the market.

doing the checking with a proxy listening to a specific port should be
significantly easier thatn checking for all protocols on all connections
passing through the devices.

It is, actually, if it's TCP. For what I remember as I wrote some code
in this area, UDP is much more of a nightmare. This is why I say that
proxies are good for some protocols (e.g. http) where you can benefit
from tight controls, but you still need a packet filter underneath for
other protocols: you can't punch a hole in a proxy for a new, unknown
and "essential" protocol.


- Claudio


Claudio Telmon

firewall-wizards mailing list