Re: Gauntlet adaptive proxies

[Kevin Steves <stevesk () sweden hp com>]

On Tue, 10 Nov 1998, Darren Reed wrote:
: No, it isn't exactly what CheckPoint's Security Servers do.  Well, maybe
: at a very `basic' and abstract level.

I found the paper lacking in technical details (I should have guessed
since it's only available in .doc).  Of the 10 pages, there are 3 that
describe the adaptive proxy design, and around 1 page of that is
diagrams, 1 being a marketing slide.

: CheckPoint doesn't have proxies for a start, so all it does is either
: pass or deny packets.  For Gauntlet, there is a fundamental difference
: for the path taken by data in the HTTP example above.  For the first
: 20 or so, the packets are interpreted by the local kernel as being a
: part of a local TCP connection, resulting in data being copied in/out
: of a user-space proxy.  Once the proxy is happy, it tells the kernel to
: just pass the rest of the packets through - basic pkt filtering.  There
: is no longer any copying of data between kernel/user space, no local
: interpretation of TCP packets, etc.

One quote from the paper is: "With an adaptive proxy firewall, initial
security examinations are still conducted at the secure application
layer, but subsequent packets can be redirected through the network
layer as soon as the security clearance has been made".  In the case
above I assume the proxy has built a new TCP connection to the
destination server, then at some point decides it's OK to packet filter
the connection.  What about address and sequence number translation in
this case?