Re: An application gateway firewall based on Linux - ITShield firewall

From: Viv (failed_at_rogers.com)
Date: 06/06/03

• Next message: Jason: "Re: Where to purchase my book"
• Previous message: touch my r0ck: "Re: Where to purchase my book"
• In reply to: Jens Hoffmann: "Re: An application gateway firewall based on Linux - ITShield firewall"
• Next in thread: Me: "Re: An application gateway firewall based on Linux - ITShield firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 06 Jun 2003 15:34:17 GMT

"Proxy" in application gateway firewall is different from proxy in HTTP
proxy server or FTP proxy server. Proxy in application gateway firewall is
like a man sitting between a client and the server, and checking the data of
the session (I mean "session", not "connection". I wall explain it later).
Here is how a proxy in application gateway firewall works:
1. (TCP): client sends the connection request to a server. the firewall
tries to accept it. If 3-step handshaking is done, firewall checks the rule
database. If allowed, start a specific proxy according to the matched rule;
2. (TCP): the proxy connects to the real server;
3. Proxy checks whether the data of the session follows the correspending
protocol, for example, the data format and the data flow. The session
breaking its protocol will be dropped by the proxy, and further requests
from the same client to the same server will be blocked. Proxy can block
some dangerous operations according to the correspending protocol. If
nothing serious is found, data from client are sent to the server, and data
from server are sent to the client.

>From Step 1, we can see that the server is not affected by DoS attacks
against TCP request, such as SIN-flood. From Step3, we can see that only
well formatted data and safe operations can be passed through the firewall.
There are about 20 proxies in ITShield firewall: proxy_http, proxy_ftp,
proxy_smtp, etc.

Now let's talk about session, UDP session, and IP session. Again I mean
"session", not "connection". We know that, in OSI there are layers called
Transport Layer and Session Layer. Many OSI protocols above Session Layer
can be used on connectionless Transport Layer.

Session is a talk between a client and a server against a protocol. For
example, proxy_dns for UDP checks DNS session between a client and a DNS
server:
1. Check whether a DNS request and DNS response are well formated against
DNS protocol;
2. Check whether a DNS response is from the server;
3. Check whether a DNS response is a valid response for a DNS request
previously received from the client.

Please let me know if you are not satisfied.

Regards,

Viv

"Jens Hoffmann" <jh@bofh.de> wrote in message
news:slrnbe0igv.foc.jh@churrasco.bofh.de...
> HI,
>
> Viv <failed@rogers.com> wrote:
> > application level. I just did not like arguing with you any more.
ITShield
> > firewall (http://www.itshield.com) handles all UDP and IP sessions in
> > application level by default.
>
>
> Please define a UDP-Session or an IP-session.
> I know the definition of an TCP session, though.
>
> >We have UDP proxies for DNS/UDP,
>
> trivial. Every NS-cache will do.
>
> >IPSEC,
>
> An IPSEC proxy? Have you got more information on the security-impact of
> this?
>
> >and RPC/UDP, and IP proxy for PING. We make "a technical
> > impossibility" possible for you.
> >
>
> That's not impossible, but you don't know the correct terms, thats all.
>
> There is no UDP Session, since UDP is stateless.
> You can define sessionlike stream bsed on heuristics (what a lot SPI
> actually do...), but that is not a session. It has some risks attached,
> you have to consider and document.
>
> Greetings,
> Jens

• Next message: Jason: "Re: Where to purchase my book"
• Previous message: touch my r0ck: "Re: Where to purchase my book"
• In reply to: Jens Hoffmann: "Re: An application gateway firewall based on Linux - ITShield firewall"
• Next in thread: Me: "Re: An application gateway firewall based on Linux - ITShield firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Open source firewalls ... > it on to the real server! ... Some of the validations can be done at proxy end. ... mean to say is it can't garantee avoiding buffer overflows. ... > are usually avoided in the firewall proxy itself. ... (Linux-Kernel) Re: RDP using RPC over HTTP ... If I am correct RPC over HTTP can use any port, ... The RPC proxy will route the data to the internal network ... The idea is to use the TSWeb on the server side and ActiveX RDP on the ... start an session of RD from there, kind of RD inside RD as you suggested? ... (microsoft.public.windowsxp.work_remotely) Re: [fw-wiz] httport 3snf ... >> wouldn't have gotten SSH out of my firewall. ... > Postfix SMTP server with a wildcard MX that handed the mail that wasn't ... > destined to me off to the downstream MS stuff, and an HTTP proxy server ... All it needs is a written policx "Internet access is ... (Firewall-Wizards) Re: Bypass ISA? ... >> Firewall aspect of ISA Server. ... >> the Proxy Server side of things though. ... (microsoft.public.windows.server.sbs) Re: bind() udp behavior 2.6.8.1 ... Allowing a high numbered udp port to remain ... The firewall should allow traffic from the same ip:port to the other ... ip:port and from no other server on the net. ... You new session is totally ... (Linux-Kernel)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint