Re: [fw-wiz] Proxies, opensource and the general market: what's wrong with us?

On 04/27/2011 10:52 PM, David Lang wrote:

however, as proxy firewalls are dieing, new devices with the type of
checking that proxies do are becoming more common.

I don't think so. No product that I'm aware of has the same "default
deny" on the low level attacks that a proxy has. Again, the recent
"split handshake" problems are a clear example: packet filters "try to
guess" the proper session state, while there is no way to cheat a proxy
into letting a connection in if it's not permitted (up to TCP/UDP, I
mean). Packet-handling tools, be it filters, IDS or something else,
however, are probably "good enough" for the market.

doing the checking with a proxy listening to a specific port should be
significantly easier thatn checking for all protocols on all connections
passing through the devices.

It is, actually, if it's TCP. For what I remember as I wrote some code
in this area, UDP is much more of a nightmare. This is why I say that
proxies are good for some protocols (e.g. http) where you can benefit
from tight controls, but you still need a packet filter underneath for
other protocols: you can't punch a hole in a proxy for a new, unknown
and "essential" protocol.


- Claudio


Claudio Telmon

firewall-wizards mailing list

Relevant Pages

  • Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories)
    ... >> Some protocols are easier to proxy than others. ... >> Oh hell, if you want to speak about deep inspection, why not ... A DIAF tends to make me think of a default allow ...
  • ~~~~~~~~~~~~~~ NEW PROXY ~~~~~~~~~~~~~~
    ... 2008 new myspace proxy ... 2009 new internet proxies ... american web proxy new list ... brand new proxy lists ...
  • Re: NFS Authentication
    ... I normally use a client such as Chameleon ... >> to a separate 'PCNFS' authentication daemon which then uses the proxy ... >> but it certainly is an ordeal for me to get the proxies right these days. ... Using PCNFS means that you need a username and password to get ...
  • [Full-disclosure] Insecure Defaults In PPLiveAV Client
    ... Anyone who has followed public proxy lists in the past year has noticed ... proxies from these public lists. ... and pockets of the US where Chinese is likely to be spoken. ... These proxies are built into the PPLiveAV client to retrieve an internal ...
  • Re: Are There Any Web Based Remailers Left?
    ... my method of a well-applied four-hop proxy (3 Tor ... Header stripping is not anonymity. ... And you won't find my end proxies in Tor's directories! ...