Firewall Wizards mailing list archives
Re: Gauntlet adaptive proxies
From: Darren Reed <darrenr () reed wattle id au>
Date: Thu, 12 Nov 1998 21:18:07 +1100 (EST)
In some email I received from Kevin Steves, sie wrote:
On Tue, 10 Nov 1998, Darren Reed wrote: : CheckPoint doesn't have proxies for a start, so all it does is either : pass or deny packets. For Gauntlet, there is a fundamental difference : for the path taken by data in the HTTP example above. For the first : 20 or so, the packets are interpreted by the local kernel as being a : part of a local TCP connection, resulting in data being copied in/out : of a user-space proxy. Once the proxy is happy, it tells the kernel to : just pass the rest of the packets through - basic pkt filtering. There : is no longer any copying of data between kernel/user space, no local : interpretation of TCP packets, etc. One quote from the paper is: "With an adaptive proxy firewall, initial security examinations are still conducted at the secure application layer, but subsequent packets can be redirected through the network layer as soon as the security clearance has been made". In the case above I assume the proxy has built a new TCP connection to the destination server, then at some point decides it's OK to packet filter the connection. What about address and sequence number translation in this case?
I can't see that as being an obstacle. All the information is there, somewhere, you just have to get it and massage it appropriately when sending packets back and forth. Heck, I can envisage being able to even go back into "proxy mode" from packet forwarding. Darren
Current thread:
- Re: Gauntlet adaptive proxies Dale Lancaster (Nov 08)
- Re: Gauntlet adaptive proxies Joseph S D Yao (Nov 09)
- <Possible follow-ups>
- RE: Gauntlet adaptive proxies ICMan (Nov 09)
- Re: Gauntlet adaptive proxies Rodney van den Oever (Nov 09)
- Re: Gauntlet adaptive proxies Darren Reed (Nov 09)
- Re: Gauntlet adaptive proxies Kevin Steves (Nov 11)
- Re: Gauntlet adaptive proxies Darren Reed (Nov 12)
- Re: Gauntlet adaptive proxies Kevin Steves (Nov 12)
- Re: Gauntlet adaptive proxies Darren Reed (Nov 09)
- Re: Gauntlet adaptive proxies Joseph S D Yao (Nov 09)
- Re: Gauntlet adaptive proxies carson (Nov 10)