Re: What is a proxy?

[Gary Flynn <flynngn () jmu edu>]

Robert Graham wrote:
> My question is this: has anybody done a review of the proxies out there
> (specifically HTTP, SMTP, POP3, etc.) that measures the degree to which the
> proxy service "cleanses" information passing through it? 

<snip>

> Likewise, do people consider this an important issue?

Speaking from the user, not the vendor, side of things:

Considering the marketing behind proxies, their perceived and 
real advantages, and their potential for added functionality, 
I'd say it is *mandatory* to understand to what level a protocol or 
application is actually being proxied. This includes what decisions 
are being made about things like the safety of certain options, 
headers, buffer limits, known-exploit-pattern checking, etc. 

This understanding is necessary not only to choose an appropriate 
product but also to realistically assess the assumed risk, properly 
set expectations, create policies about application usage, apply 
rule-sets, troubleshoot problems, and interpret logs.

Not having read any commercial firewall documentation in a long 
while, I don't know if this type of information is in the manual. 
The marketing literature sometimes has check-offs indicating 
individual protocols or applications that are proxied but I've 
never seen any details.

I'd guess the issue is similar to the inner workings of intrusion 
detection, anti-virus, and vulnerability scanners. Without knowing 
what they're really doing, we're forced to assess the accuracy of 
their reports and even their suitability to task by deploying them 
rather than being able to perform an analysis on their implementation. 
At best, we have to depend upon trade magazine tests, peer tests, 
limited time evaluations, open disclosure lists, etc.

While I certainly wouldn't want to examine anti-virus detection
pattern logic, the smaller number of proxies makes examination of
them a realistic endeavor on the part of the consumer. As an aside,
it would be nice to have the vulnerability and intrusion detection 
logic available too. Being much more numerous than proxies, reviews 
would probably be done by testing groups (and competitors :) rather 
than individual end users but the end user would find value in 
being able to examine the logic when investigating both false and 
true detections.

Back to firewalls.

Some proxy developers will conscientiously implement full protocol/
application implementations but some may simply satisfy RFP checkoff 
points by implementing a banner filter and a blind relay as you 
suggested.

Since some companies view facts about these implementations as 
proprietary information giving them marketing advantages we're put 
in the position of being at their mercy...the old trust issue again :)

I suspect the growing popularity of open-source security tools, 
corporate GUI/turn-key-security-policy purchases notwithstanding, is 
the result of this uncertainty.

Playing Devil's Advocate for the moment:

 a) There is the possibility that of some of today's protocols and 
    applications are inherently insecure regardless of proxy logic and 
    the only thing keeping them more secure than an open network is 
    the obscurity of the proxy implementation. 
 b) It may be a practical impossibility to describe the inner workings 
    of a proxy in sufficient detail for a thorough analysis without 
    publishing the source code which, again, brings up issues of 
    intellectual property, competitive advantage, and "need to know" 
    security.
 c) The proxies may change so often that providing updated documentation 
    becomes a significant effort.

I anxiously await any answers to the question you posed.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/info-security/engineering/runsafe.shtml
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards