PIX Firewall's cut-through proxy
From: hvazquez@winmat.comDate: 06/17/02
- Previous message: H C: "re: Port 1025 - Network Blackjack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 17 Jun 2002 09:25:06 -0000 From: <hvazquez@winmat.com> To: security-basics@securityfocus.com('binary' encoding is not supported, stored as-is)
Hi men,
that´s a question to all firewall gurus. Does anybody exactly knows how
Cisco PIX handles HTTP connections ? I´m triying to show to a customer the
differences between circuit-level-proxies and PIX "cut-through proxy"
technology. Cisco http connection management is as follows :
"The PIX Firewall's cut-through proxy, challenges a user initially at the
application layer, like a proxy server. But once the user is authenticated
against an industry-standard database based on the Terminal Access
Controller Access Control System (TACACS)+ or Remote Authentication Dial-
In User Service (RADIUS) and policy is checked, the PIX Firewall shifts
the session flow, and all traffic thereafter flows directly and quickly
between the two parties while maintaining session state"
OK, so once a client is authenticated, all the connections are handled at
the layer 3 of the OSI... Only ports, IPs, and sequence numbers can be
tracked... But, what about the protocol check ? There´s no way for the PIX
to know if the data is a valid http stream ... So, once a client has a
valid session on the PIX, a very lame trojan on this client can make an
outside connection whithout needing to proxify , or simulate an HTTP valid
connection ( a simple telnet on port 80 will work ).
If there is no way for the PIX to track all the connection at layer 7 (
application ), there is no way to grant that only HTTP trafic is allowed.
Firewall-1 has a method called "URI resource" that allows inspection at
aplication level, and can perform URL filtering, can inspect the
connection method ( GET, POST, HEAD, ...), and offers a lot of
authentication methods ( user auth, client auth ), supports RADIUS,
TACACS, SECUR-ID, ... Also, NG offers out of sequence numbers
detection ... and the well-know "Statefull-inspection".
And the cuestion is : can I said that Firewall-1 security is better than
Cisco PIX, when talking about connection management and authentication
methods supported ?
Thanks
Hugo Vázquez Caramés
Analista de Seguridad Telemática
Barcelona
SPAIN
- Previous message: H C: "re: Port 1025 - Network Blackjack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
